Issue on accessing SMB share getting access denied

remember that most restrictive permission wins, you need to make sure share and folder ACLs allow that group or user the right privileges. If you give user full rights on the folder but read-only on the share, they will not be able to modify anything.

I think your suggestion is correct, below is the outputs where i found the share was give change permission for NA\000-it-ict-core group and the ls-led command does't show write and execute permission for NA\000-it-ict-core group and also i don't see user tyou3572 who is member of 000-it-ict-core group in user mappings . Am i correct?

How can edit the permission so that it will show change permission for the group in ls -led command? may i know the command? Will this edition effect other members in the group who already accessing the share?

1.) Collect the share permission output

is240sc01-7:/etc # isi smb shares view --share=DQM_D4D
                                     Share Name: DQM_D4D
                                           Path: /ifs/DEV/UNIX/usrappsap/D4D/DQM
                                    Description: ITC DQXI Validation DEV Share
                     Client-side Caching Policy: manual
Automatically expand user names or domain names: False
Automatically create home directories for users: False
                                      Browsable: True
Permissions:
Account                  Account Type Run as Root Permission Type Permission
----------------------------------------------------------------------------
NA\000-212_wintel_admins group        False       allow           full
NA\000-it-ict-core       group        False       allow           change
----------------------------------------------------------------------------
Total: 2

          Access Based Enumeration: No
Access Based Enumeration Root Only: No
             Allow Delete Readonly: No
              Allow Execute Always: No
                     Change Notify: all
                Create Permissions: default acl
             Directory Create Mask: 0700
             Directory Create Mode: 0000
                  File Create Mask: 0770
                  File Create Mode: 0100
                    Hide Dot Files: No
                          Host ACL: -
                 Impersonate Guest: never
                  Impersonate User: s4dadm
                 Mangle Byte Start: 0XED00
                        Mangle Map: 0x01-0x1F:-1, 0x22:-1, 0x2A:-1, 0x3A:-1, 0x3C:-1, 0x3E:-1, 0x3F:-1, 0x5C:-1
                  Ntfs ACL Support: Yes
                           Oplocks: Yes
                      Strict Flush: Yes
                    Strict Locking: No

2.)Collect isi auth mapping output

is240sc01-7:/etc # isi auth mapping token --user=na\\tyou3752
                   User
                     Name : NA\tyou3752
                      UID : 1000455
                      SID : S-1-5-21-1645522239-879983540-1417001333-118648
                  On Disk : S-1-5-21-1645522239-879983540-1417001333-118648
                    ZID: 1
                   Zone: System
             Privileges: -
          Primary Group
                     Name : NA\domain users
                      GID : 1000001
                      SID : S-1-5-21-1645522239-879983540-1417001333-513
                  On Disk : S-1-5-21-1645522239-879983540-1417001333-513
Supplemental Identities
                     Name : NA\000-cranfs01secureddata
                      UID : -
                      GID : 1002720
                      SID : S-1-5-21-1645522239-879983540-1417001333-567918

                     Name : NA\bpm_mdm_rqst_cust_z012
                      UID : -
                      GID : 1001315
                      SID : S-1-5-21-1645522239-879983540-1417001333-530530

                     Name : NA\ptl_bi40
                      UID : -
                      GID : 1001899
                      SID : S-1-5-21-1645522239-879983540-1417001333-608335

                     Name : NA\ptl_boe_associate
                      UID : -
                      GID : 1000052
                      SID : S-1-5-21-1645522239-879983540-1417001333-532819

                     Name : NA\boe_dataservices
                      UID : -
                      GID : 1001661
                      SID : S-1-5-21-1645522239-879983540-1417001333-582287

                     Name : NA\000-yantra - rdc- operations
                      UID : -
                      GID : 1002028
                      SID : S-1-5-21-1645522239-879983540-1417001333-379738

                     Name : NA\000-corporate users
                      UID : -
                      GID : 1000064
                      SID : S-1-5-21-1645522239-879983540-1417001333-138301

                     Name : NA\000-corp-houston-all
                      UID : -
                      GID : 1000229
                      SID : S-1-5-21-1645522239-879983540-1417001333-141801

                     Name : NA\planit
                      UID : -
                      GID : 1000090
                      SID : S-1-5-21-1645522239-879983540-1417001333-253367

                     Name : NA\dw-install_secure_c
                      UID : -
                      GID : 1000181
                      SID : S-1-5-21-1645522239-879983540-1417001333-138333

3.)Collect ls -led and ls -lend ouptput of the paths

is240sc01-7:/etc # ls -led /ifs/DEV/UNIX/usrappsap/D4D/DQM
drwxrwxr-x +  4 s4dadm  sapsys  88 Jun 16 13:34 /ifs/DEV/UNIX/usrappsap/D4D/DQM
OWNER: user:s4dadm
GROUP: group:sapsys
CONTROL:dacl_auto_inherited,dacl_protected
0: group:NA\000-it-ict-core allow std_synchronize,add_file,add_subdir,container_inherit
1: user:s4dadm allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child
2: group:Administrators allow dir_gen_all,object_inherit,container_inherit
3: creator_owner allow dir_gen_all,object_inherit,container_inherit,inherit_only
4: everyone allow dir_gen_read,dir_gen_execute
5: group:Users allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit
6: group:Users allow dir_gen_read,dir_gen_execute,add_file,add_subdir,object_inherit,container_inherit
is240sc01-7:/etc # ls -lend /ifs/DEV/UNIX/usrappsap/D4D/DQM
drwxrwxr-x +  4 760  300  88 Jun 16 13:34 /ifs/DEV/UNIX/usrappsap/D4D/DQM
OWNER: user:760
GROUP: group:300
CONTROL:dacl_auto_inherited,dacl_protected
0: SID:S-1-5-21-1645522239-879983540-1417001333-474407 allow std_synchronize,add_file,add_subdir,container_inherit
1: user:760 allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child
2: SID:S-1-5-32-544 allow dir_gen_all,object_inherit,container_inherit
3: SID:S-1-3-0 allow dir_gen_all,object_inherit,container_inherit,inherit_only
4: SID:S-1-1-0 allow dir_gen_read,dir_gen_execute
5: SID:S-1-5-32-545 allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit
6: SID:S-1-5-32-545 allow dir_gen_read,dir_gen_execute,add_file,add_subdir,object_inherit,container_inherit

the simplest is to use Windows Explorer to modify folder ACLs.

I can see below advance options on the share path, which shows the directory and file already have permissions to the user and group. Am i seeing wrong?

Hi Bhuvan,

Yes, but  recommendation is to set NTFS permissions from windows side. since  share & ntfs permission are set as required.

permission  details below

dir_gen_all

                   dir_gen_read, dir_gen_write, dir_gen_execute, delete_child,

                   and std_write_owner

generic_all

                   Read, write, and execute access

Hi Bhuvan

Best  option is to give NTFS permission from windows side not from Isilon side. Also I dont see "tyou3572" added in NTFS permission for folders which is causing the issue.

Users have read and execute permission but no write permission.

0: group:NA\000-it-ict-core allow std_synchronize,add_file,add_subdir,container_inherit

1: user:s4dadm allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child    (only write permission here )

5: group:Users allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit

6: group:Users allow dir_gen_read,dir_gen_execute,add_file,add_subdir,object_inherit,container_inherit

You can add the use explicitly for NTFS permission from windows or using command below.

# chmod +a user "NA\tyou3572"  allow dir_gen_all,object_inherit_container_inherit  /ifs/DEV/UNIX/usrappsap/D4D/DQM

Then disconnect  share and  map it again and try out  write permissions.

Hi Chughh,

user "tyou3572" is member of the group "000-it-ict-core" but she is not able to open the file and view it in the share path getting access denied when she opens the file. I hope the command you gave "chmod" will apply for change permissions only and not full permissions? If i run that command will help the user accessing the share without any issues?

Your first recommedation would be set the execute permission from windows side on the group? If that is not possible your second recommendation is to issue the command chmod from isilon?

Since i want change permission i will use generic_all in the chmod command.

I'll just throw it out there since a portion of your problem reminds me of something I ran into. In our scenario we are using NTFS permissions on the windows side to handle everything. User can create a file, but not rename it or edit it. Opening files has problems as well. We traced the problem to the fact that the user has to have at least read/execute permissions from the SMB share location all the way down to the file. If there was an instance where the user did not have that access, this problem would appear.

/ifs/folder1/folder2/folder3/file

If the user does not have read access to folder2 and SMB mapping is done on folder1, and the user is directly mapped all the way down to folder3, then they will have problems.