Allow users or groups to bypass directory traverse checking
Suggest changes
PDFs
If you want a user to be able traverse all the directories in the path to a file even if the user does not have permissions on a traversed directory, you can add the SeChangeNotifyPrivilege privilege to local SMB users or groups on storage virtual machines (SVMs). By default, users are able to bypass directory traverse checking.
-
A SMB server must be exist on the SVM.
-
The local users and groups SMB server option must be enabled.
-
The local or domain user or group to which the
SeChangeNotifyPrivilegeprivilege will be added must already exist.
When adding privileges to a domain user or group, ONTAP might validate the domain user or group by contacting the domain controller. The command might fail if ONTAP cannot contact the domain controller.
-
Enable bypass traverse checking by adding the
SeChangeNotifyPrivilegeprivilege to a local or domain user or group:vserver cifs users-and-groups privilege add-privilege -vserver vserver_name -user-or-group-name name -privileges SeChangeNotifyPrivilegeThe value for the
-user-or-group-nameparameter is a local user or group, or a domain user or group. -
Verify that the specified user or group has bypass traverse checking enabled:
vserver cifs users-and-groups privilege show -vserver vserver_name ‑user-or-group-name name
The following command enables users that belong to the “EXAMPLE\eng” group to bypass directory traverse checking by adding the SeChangeNotifyPrivilege privilege to the group:
cluster1::> vserver cifs users-and-groups privilege add-privilege -vserver vs1 -user-or-group-name EXAMPLE\eng -privileges SeChangeNotifyPrivilege cluster1::> vserver cifs users-and-groups privilege show -vserver vs1 Vserver User or Group Name Privileges --------- --------------------- --------------- vs1 EXAMPLE\eng SeChangeNotifyPrivilege
Disallowing users or groups from bypassing directory traverse checking