I recently had a Software Vendor tell me that we needed to run the “cifs access share -m” command on the NetApp Filers/vFilers in order to integrate their product correctly. According to the NetApp documentation it “specifies that access is being modified for Windows machine accounts”. Okay…fair enough. But wouldn’t you typically have this access enabled for machine startup scripts and software delivery policies that run from network shares? Anyway, I needed to document this for a change record. So we logged onto our test vFiler and ran the “cifs shares” command, to give us a reference for a before and after comparison.
Then we ran the “cifs access share -m” command against the data share.
Great, so the command worked successfully.
Then we ran the “cifs shares” command again to see what it actually changed.
It changed nothing! This was really confusing. But given that the Everyone, Authenticated Users, and Domain Computers groups would give computer accounts access to the share I simply just thought that the command had verified the share level permissions and concluded that there was nothing to change. So I removed the Everyone group from the data share and re-ran the “cifs access share -m” command against the data share.
It still changed nothing! This was frustrating. I was unsure if we’d found a bug or had misunderstood the purpose of the command. No matter how much research we did it was really not all that clear about what we should expect to see.
One of the guys suggested running the “cifs access -delete share -m” command against the data share to see what it would delete.
This also completed successfully.
However, now when we run the “cifs shares” command we can see that it says “Machine Account access disabled” against the data share.
Aha! Now we understand how this works and what it means. By default access to shares via machines accounts is enabled. You only need to enable it if you had previously disabled it.
So even though the Everyone group had read access to the share NetApp has a feature to prevent access via machine accounts.
I find the output of the “cifs access share -m” command rather poor. Instead of saying “1 share(s) have been successfully modified”, it would be nice for it to say:
- “Machine Account access has been successfully enabled on the share”
- “Machine Account access is already enabled on the share”
- “Machine Account access has been successfully disabled on the share”
- “Machine Account access is already disabled on the share”
As for the output of the “cifs shares” command, it would be nice to see “Machine Account access enabled” against all shares by default. This would make it clear by removing any confusion or misunderstanding.
If you are NetApp trained, you may already understand this. But ironically even NetApp trained people provided us with very poor information on our simple question “What does the cifs access share -m command do?”
In hindsight this now makes complete sense and seems rather obvious.