Subscribe

Failure: New-NaRole on a vFiler

Hello,

when I try to create a new role on a vFiler via the New-NaRole CMDlet I receive the error message:

[vFilerName@vFiler0:useradmin.unauthorized.user:warning]: user 'username' denied access - missing required capability: 'security-priv-advanced'

The user 'username' is member of the 'Administrators' group on the vFiler Host (vFiler0). Creating a new role in the vFiler via CLI with the 'useradmin role add' command works fine with the same user.

Is there any solution for this?

Thanks in advance,

Hans-Juergen

Re: Failure: New-NaRole on a vFiler

Are you tunneling commands to the Vfiler (i.e., you connect using Connect-NaController with the -Vfiler parameter or you set $currentNaController.Vfiler)?  If so, I think you need to create a user of the same name on the Vfiler with the required privileges.  If no users exist on the Vfiler, you can use Set-NaVfilerPassword to create the Vfiler's root user.

-Steven

Re: Failure: New-NaRole on a vFiler

I'm connecting to the vFiler with the -Vfiler Parameter in the Connect-NaController CMDlet. This then automatically sets the $global:currentNaController.Vfiler property to the name of the vFiler. The complete command is as follows:

New-NaRole -Role "role_name" -Comment "comment" -Capabilities "login-http-admin","api-*" -Controller (Connect-NaController -Name "vFiler0_Hostname" -Vfiler "vFiler_Name")

Doing the same via the Invoke-NaSsh CMDlet works fine without any error:

Invoke-NaSsh -Command ("vfiler run vFiler_Name useradmin role add 'role_name' -a 'login-http-admin,api-*' -c 'comment') -Controller (Connect-NaController -Name "vFiler0_Hostname")

The credentials and user-rights are the same, so where is the difference between the these approaches?

As far as I know, connecting directly to a vFiler is not possible. Neither with SSH nor PowerShell. Right?

Addition:

Trying to create a new user as a member of the Administrators group on the vFiler (via New-NaUser CMDlet) fails with the error message: "User cannot access groups".

Re: Failure: New-NaRole on a vFiler

Yes, you can connect to the vfiler directly, both through PowerShell and SSH.  When you configure the vfiler, you can use Set-NaVfilerAddress -Name $name -Addresses $IPs -Interface $if -Netmask $netmask to bind the IPs you created the vfiler with to a network interface.  The Set-NaVfilerPassword cmdlet will create the root vfiler account.  Then you can connect to the vfiler using Connect-NaController as if it where a physical controller (no need to use the -Vfiler switch).  From there, you can use Initialize-NaSecureAdminSsh to configure SSH on the vfiler.

I'm not sure of the exact reason why the useradmin cmdlets have difficulty with permissions when tunneling to a vfiler; however, creating a user on the vfiler with the same permissions as the user on the controller seems to fix the issue for me.  It would appear when going through SSH permissions are checked on the controller whereas going through the API permissions are checked in the context of the vfiler (which fails for me since the user I'm using on the controller does not exist on the vfiler).  Another solution would be to connect directly to the vfiler.

Please note:  The Set-NaVfilerAddress and Set-NaVfilerPassword cmdlets use the vfiler-setup API, which will re-write the /etc/exports and /etc/hosts files on the vfiler.  If you plan to use these cmdlets and have configured exports, please use the -PreserveEtcHosts and -PreserveEtcExports switches to ensure the contents of these files are not disturbed.  See the help documentation for these cmdlets for more information.

-Steven

Re: Failure: New-NaRole on a vFiler

Creating a user with the same name and permissions in the vFiler as it exists on the vFiler0 solves the problem. But this is not desired, because the vFiler (and the roles within) should be completely created by a PowerShell script without any interaction via ssh nor with an undesired user account on the vFiler. Connecting directly to the vFiler is also not possible in my case because of firewall limitations.

It seems that tunneling to a vFiler with the -VFiler argument in the Connect-NaController CMDlet is not the same as using the vfiler run... command in an ssh shell on the vFiler0, right?

Re: Failure: New-NaRole on a vFiler

Not all 7-Mode ONTAPI commands support vFiler tunneling.  In those cases vfiler run over SSH is the workaround.  They are not the same however.  vFiler tunneling requires the API to have the hooks on the other side.  vfiler run runs the CLI command within the vFiler context, in other words one is proxing the other is directly connecting through the parent filer.

~Glenn