Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

chjatwork

2 Intern

 • 

356 Posts

6930

April 18th, 2017 10:00

Isilon - SMB share access troubleshooting

Community,

This test cluster is giving me fits and trying to figure out why I cant seem to access this SMB share I created?  Could it be the directory permissions that stopping me?

Directory Permissions:

[MYCLUSTER]-2# ls -lzed ifs

drwxrwx--x    7 root  wheel  136 Oct  3  2015 ifs

OWNER: user:root

GROUP: group:wheel

SYNTHETIC ACL

0: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child

1: group:wheel allow dir_gen_read,dir_gen_write,dir_gen_execute,delete_child

2: everyone allow dir_gen_execute,dir_read_attr

Share Permissions:

[MYCLUSTER]-2# isi smb share view test$

                                     Share Name: test$

                                           Path: /ifs

                                    Description:

                     Client-side Caching Policy: manual

Automatically expand user names or domain names: False

Automatically create home directories for users: False

                                      Browsable: True

Permissions:

Account                   Account Type  Run as Root  Permission Type  Permission

--------------------------------------------------------------------------------------------------------------------

[DOMAINNAME]\Me user                False            allow                   full

--------------------------------------------------------------------------------------------------------------------

Total: 1

          Access Based Enumeration: No

Access Based Enumeration Root Only: No

             Allow Delete Readonly: No

              Allow Execute Always: No

                     Change Notify: norecurse

                Create Permissions: default acl

             Directory Create Mask: 0775

             Directory Create Mode: 0000

                  File Create Mask: 0764

                  File Create Mode: 0100

                    Hide Dot Files: No

                          Host ACL: -

                 Impersonate Guest: never

                  Impersonate User:

                 Mangle Byte Start: 0XED00

                        Mangle Map: 0x01-0x1F:-1, 0x22:-1, 0x2A:-1, 0x3A:-1, 0x3C:-1, 0x3E:-1, 0x3F:-1, 0x5C:-1

                  Ntfs ACL Support: Yes

                           Oplocks: Yes

                      Strict Flush: Yes

                    Strict Locking: No

Everytime I try to access this from my windows workstation I get "Windows cannot access [Server]"

Thank you,

crklosterman

450 Posts

April 18th, 2017 13:00

I mean at first glance of course naming it with a dollar sign $ will administratively hide it. But I'm guessing you know that.  Are you trying to access it via \\smartconnectzonename.domain.xyz\test$ and it's not working?  Then odds are pretty good that it's an NTFS permissions issue.  That said your path is /ifs, and NEVER put NTFS ACLs on /ifs, you'll probably break the cluster.  Are you just trying to allow yourself as an administrator to browse the tree?  Then give just your admin account run-as-root rights to the share.  Be extremely careful with how you use this because as the name implies it gives you effectively root access over SMB.  While useful for administrative purposes or for data migrations, it can be a real mess if you ever put that on a user-facing share.

The other possible issue is an SPN issue.

'isi auth ads spn check --domain=domain.xyz"

will show you if you have any SPNs missing.

Hope it helps,

Chris Klosterman

Principal SE, Datadobi

chris.klosterman@datadobi.com

chjatwork

2 Intern

 • 

356 Posts

April 18th, 2017 16:00

Yes, I am intensionally hiding the share.  I am trying to access it via \\[SERVER.DOMAIN.xyz]\test$ and its not working.  I have no plans to add NFTS permissions to /ifs and was hoping I wouldn't have to.  Yes, per the instructions for the Isilon Search tool, I need to give it permissions to access the share for /ifs.  Isilon Search don't require a run-as-root right to perform this task of scanning the entire filesystem. 

I will verify the SPN isn't an issue and reply to this tomorrow morning.

Thank you,

chjatwork

2 Intern

 • 

356 Posts

April 19th, 2017 06:00

Ok this is what I got:

    

SERVER-2# isi auth ads spn check --domain=DOMAIN.DOMAIN.xyz

Missing Service Principal Names:

    nfs/SERVER3

    nfs/SERVER.DOMAIN.xyz

    nfs/SERVER-nfs.DOMAIN.xyz

    nfs/SERVER-mgmt.DOMAIN.xyz

Additional Service Principal Names:

    HOST/SERVER1

    HOST/SERVER1.DOMAIN.xyz

SERVER-2# isi auth ads spn list --domain=DOMAIN.DOMAIN.xyz

SPNs registered for SERVER3$:

        HOST/SERVER-mgmt.DOMAIN.org

        HOST/SERVER-nfs.DOMAIN.org

        HOST/SERVER-mgmt

        HOST/SERVER-nfs

        HOST/SERVER.DOMAIN.org

        HOST/SERVER

        HOST/SERVER1

        HOST/SERVER1.DOMAIN.org

        HOST/SERVER3

        HOST/SERVER3.DOMAIN.DOMAIN.xyz

Was this post helpful?

View All

No Events found!

Top