#Changing permissions CIFS Share

Hello,

My office has a simple file share on our new NetApp AFF-A150 which we had professional services configure/install for us last week. When I set it up with the NetApp engineer last week, I put an AD security group that my normal domain user account is apart of on the share we created, and gave that group Full Control for the share. Today, after transferring over all our files/folders from our old share, I realized it was the wrong security group and I needed a couple more as well for everyone to have access. So on the file explorer I added those groups, but before changing them to Full Control I deleted the original security group from the list. Now it won’t let me add that original group back and gives me access denied, nor will it allow me to up the permissions of the groups that I added, so right now there is no group/user added for that share with more than Read/Execute permissions.

I even added the new groups to the file permissions of the share via the GUI, and it took them and labeled them as “Full Control” although when looking at the security tab under properties of the share on file explorer, it still says only read/execute permissions.

I also ran a command in the CLI (will update what it was when I get back to my work computer, out at Dr Appt now) that showed those accounts did indeed only have Read/Execute permissions even though they are listed as Full Control on the GUI.

So, to me it seems like 1. The GUI is lying to me and doesn’t actually control the permissions set on the share, and 2. I likely bricked that share as there is no way to change the permissions of the share through the NetApp because on the windows file explorer side it seems dead in the water.

As of right now it seems like my only option is to blow away this share, create a new one and retransfer all my files, and not screw up the permissions this time. That is unless, one of you fine professionals knows a CLI command that'll change the group permissions. Thanks in advance!

Share-level security is generally considered to be bad practice and discouraged. You should really set your shares to "Everyone/Fill Control" and manage access control on the files and directories below the share directly. If you still want to go the share ACL route, you can use the commands vserver cifs share access-control show, ...modify, ...create and ...delete to configure these ACLs. Here's a link to the documentation: https://docs.netapp.com/us-en/ontap/smb-admin/commands-manage-share-acls-reference.html

note that you might need to log off and log back on (on your client) for the new ACLs to take effect (Windows caches negative access rights for a while)

Also worth noting a share is just a conduit to a volume. You can always create/test with a new share.

@amber wagon might have an idea too.

Yes, I did create a new share to test my theory on the problem. Pretty sure it's a permissions issue. Tracking on this not being best practices in regards to permissions being set this high, but im just a jr engineer who does what hes told at the end of the day 😦

I am just super confused as to why, on the GUI, i can create a new share permission for a group/user in my domain, give them full access, and that not have any real effect on how the share functions within file explorer.

It sounds like the issue is the permissions at the file level, likely as a result of removing the original group, since that is probably what was providing you access. The permissions you see from System Manager (the GUI) are likely just the permissions at the share level. The Security tab from File Explorer shows you the file level permissions, but there is usually a separate tab in the Advanced security settings where you can also see the share permissions.

As far as fixing the permissions, you should be able to take ownership as part of the local Administrators group, then apply the new permissions. I am away from my computer right now, but you should be able to find an newer in the resolution guide @ https://kb.netapp.com/onprem/ontap/da/NAS/How_to_fix_NTFS_file_permissions_when_access_is_lost-_Resolution_Guide