2014-06-17 12:52 PM
Will the Set-NaCifs cmdlet create the computer object if it does not already exist in the domain, when it is run against a filer with NetApp Release 8.1.3P1?
I am running the following powershell command... Set-NaCifs -CifsServer filer-e01 -AuthType ad -SecurityStyle multiprotocol -Domain my.domain.com -User svc_user -Password MyPassw0rd -OrganizationalUnit OU=NAS,OU=Storage
I have NOT created the computer object in the OU and want to know if it will automatically get created in this OU if it is not there. The account that I am supplying in the command does have rights to create computer objects in that OU.
2014-06-18 08:20 AM
If I run this command AND the computer account is NOT created,
PS C:\Users\Administrator> Set-NaCifs -CifsServer filer-e01 -AuthType ad -SecurityStyle multiprotocol -Domain my.domain.com -User svc_user -Password MyPassw0rd -OrganizationalUnit OU=NAS,OU=Storage
I get the following error:
Set-NaCifs : Unknown error. Check your input and try again.
At line:1 char:1
+ Set-NaCifs -CifsServer filer-e01 -AuthType ad -SecurityStyle multiprotocol - ...
+ CategoryInfo : InvalidOperation: (18.104.22.168:NaController) [Set-NaCifs], EINTERNALERROR
+ FullyQualifiedErrorId : ApiException,DataONTAP.PowerShell.SDK.Cmdlets.Cifs.SetNaCifs
If I run the exact same command after creating the computer account manually, it succeeds without any errors.
Thoughts as to why the cmdlet doesn't appear to be creating the computer account?
I used the service account that I am specifying in the cmdlet to manually create the computer account, so I know that it has rights to do so. The service account has full control permissions of the OU that I am trying to create the computer account in.
The filer that I am running this on is an FAS3170 running NetApp Release 8.1.3P1 7-Mode
2014-06-19 10:46 PM
You also need to add the following rights:
ALLOW change password and ALLOW Write public information
More details in this KB article:
If you are still stuck, give me a call.
2014-06-24 11:11 AM
Thanks for the information Sean! If the service account has full control rights on the OU, and we can use the service account to manually create the computer account, wouldn't this be suffecient rights for that account when being used with the Set-NaCifs cmdlet?
2014-06-24 11:25 AM
To answer your question: No.
The user needs different rights depending on where you are authenticating from.
If you are authenticating from within windows/domain, you are using private keys. However, if you are authenticating from outside of windows, you are using public keys.
From the KB article referenced above:
Note: The "ALLOW" requirements above are due to Microsoft publishing public and private Kerberos keys. Windows uses private keys and Data ONTAP uses public keys.
I did verify this in my lab. I created a service account and tried to use the regular "cifs setup" from the ONTAP CLI. It was not able to create the computer account and provided a more usable error message.