Subscribe
Accepted Solution

Issues running a ps script with an account other than the domain admin

I have a powershell script that runs perfectly if i am logged on as  the administrator account of the domain,  querys the netapp etc,  if i  log on with a second domain administrator account sysadmin the script  errors.  Both the administrator and sysadmin account are both domain  admins and if i look at the security on the netapp all(administrator,  sysadmin and domain admins) are memebrs of the netapp local administrators  group.

When i run the script i am passing the same arguments to the filer  -filer xxx.xxx.xxx.xxx -admin root - pass XXXXXXXX

all the audit log says is for the account that doesnt run is no error messages

Fri Nov 12 10:09:08 NZDT [rshd_0:debug]: root:START:rsh shell:[127.0.0.1_19244]

Fri Nov 12 10:09:08 NZDT [rshd_0:debug]: root@[127.0.0.1_19244]:IN:rsh shell:RSH INPUT COMMAND is priv set -q admin ; version

Fri Nov 12 10:09:08 NZDT [rshd_0:debug]: root@[127.0.0.1_19244]:END:rsh shell: Fri Nov 12 10:09:08 NZDT [Java_Thread:debug]: root:API:in:<storage-shelf-list-info/>

Fri Nov 12 10:09:08 NZDT [Java_Thread:debug]: root:API:in:<system-get-info/>

Fri Nov 12 10:09:08 NZDT [Java_Thread:debug]: root:API:in:<system-get-version/> Fri Nov 12 10:09:08 NZDT [Java_Thread:debug]: root:API:in:<iscsi-service-status/>

but the ps window has heaps of errors

starts with

Connect-NaController : API invoke failed.

How does the security around api calls work since i am passing the root username and password and also have the account in the netapp local group is there some account mapping i aslo ahve to do with the root and sysadmin account?

cheers

Alan

Re: Issues running a ps script with an account other than the domain admin

Hello, Alan.  You didn't say whether you are using RPC or HTTP.  But in either case, the first thing to check is whether you can log in to the controller console (i.e. telnet or ssh) using the desired credentials.  If that works, the same credentials should work with the PowerShell Toolkit.

I tried the same experiment here:

  1. Created a domain user RTPRRE\sysadmin and added that to the domain administrators group.
  2. Added that user to the controller: Set-NaDomainUser RTPRRE\sysadmin -AddGroups Administrators
  3. Verified I could connect using those credentials: Connect-NaController dunn -Credential RTPRRE\sysadmin

That all worked here.  If it helps, I'm using Windows 2008 R2 (client), Data ONTAP 7.3.3, and Windows 2003 (domain controller).

Re: Issues running a ps script with an account other than the domain admin

Hi Clinton

I see my error now,

This is what i was doing

Logging on to a Windows 2003 server as sysadmin so the powershell context is that of sysadmin and passing thought the netapp root username and password as arguements for the script

eg powershell -command c:\NetappListVolumesandLuns.ps1 -filer 192.168.0.10 -admin root -pass XXXXXXXXX.  (this errors for me)

Changing it based on your example to be the actual NT account works

eg powershell -command c:\NetappListVolumesandLuns.ps1 -filer 192.168.0.10 -admin testdomain\sysadmin -pass XXXXXXXXX (this works for me)

Howerver if the server is logged on as administrator

powershell -command c:\NetappListVolumesandLuns.ps1 -filer 192.168.0.10 -admin root -pass XXXXXXXXX. works

so i suspect there must be some mapping on the netapp that allows the administrator account to passthru root and for the script to work for administrator and not sysadmin,

So i guess i have my fix i need to explicily use the domain credentials for my script and drop using the root credentials

Cheers

Alan

Re: Issues running a ps script with an account other than the domain admin

Alan, could you share the portion of your script where you are calling Connect-NaController?  I'd like to see how you are mapping the credentials you pass into the script to the arguments of Connect-NaController.

I ask because you should be able to specify any credentials that the controller recognizes.  If you are using RPC (i.e. not specifying credentials to Connect-NaController), then you will be authenticated as the currently logged on Windows user, and that only works if the account is known to both the domain and to ONTAP.  But if you are using HTTP/HTTPS (i.e. using the -Credentials parameter of Connect-NaController), then the current Windows user context should be irrelevant.  In other words, using the controller's root userid/password should *always* work regardless of the Windows account in use.  That also holds true for any other local controller user account, unless that user doesn't have sufficient privileges to call ONTAP APIs.

Re: Issues running a ps script with an account other than the domain admin

Hi Clinton here is the ps file, i modified a script file i found here on the forum(http://communities.netapp.com/docs/DOC-6349) and change the the script to output the results to a text file and to pass in credentials so i could use this on multiple filers

------------------------------------

Param ([string]$filer, [string]$admin, [string]$pass)

# NetApp Data ONTAP PowerShell Toolkit
$exist = $false
foreach ($modulePath in ${env:PSModulePath}.Split(";"))
{
   if ((Test-Path ($modulePath + "DataONTAP\DataONTAP.dll")) -and !$exist)
   {
    Write-Host "Adding NetApp DataOnTap PowerShell" -ForegroundColor Green
    $exist = $true
    Import-Module DataONTAP
   }
}

#$filer = "***.***.***.***"
$spass = ConvertTo-SecureString $pass -AsPlainText -Force
#$admin = "****"


$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $admin,$spass
Connect-naController $filer -credential $cred
$aggrlist = Get-NAAggr
$file = "C:\fujitsuit\test.txt"
#Remove-Item $file
New-Item $file -type file -force

Foreach ($aggr in $aggrlist){
      [double]$AggrOverSub=1
      $aggrInfo = "Aggr Start: " + $aggr.Name + " : Aggr Size = " + ([Math]::Round(($aggr.SizeTotal/(1024*1024*1024)),1)) + "GB" + " : Used Size = " + ([Math]::Round($aggr.SizeUsed/(1024*1024*1024),1)) + "GB" + " : % used = " + $aggr.SizePercentageUsed + "%"
      Add-Content $file $aggrInfo
       #Add-Content $file "`r"
      $LunList = Get-NaLun
      $Vollist = Get-NaVol
      ForEach ($volume in $Vollist)
      {     [double]$VolOverSub=1
            $vol = (get-navol $volume.name)
            [single]$perc=100 * ([single]($vol.SizeUsed) /[single]($vol.SizeTotal))
            $perc=[math]::Round($perc,2)
            if ($aggr.name -eq $vol.containingaggregate )
            {     $volInfo = "      Vol : " + $vol.Name + ": Vol Size = " + ([math]::round(($volume.SizeTotal/(1024*1024*1024)),1))+ "GB" + ": Used Size = " + $perc + "%"
                  Add-Content $file $volInfo
       
                  foreach ($LUN in $LunList)
                  {     $Sour=$LUN.Path
                          $spath = $Sour.Split("/")
                        if (($spath[2].equals($vol.name)) -or ($spath[3].equals($vol.name)))
                        {     [single]$perc=100 * ([single]((get-nalunoccupiedsize $LUN.path)) /[single]($LUN.Size))
                              $perc=[math]::Round($perc,2)
                              $luninfo = "       LUN:  = " + $LUN.path + " : Size = " +([Math]::Round(($LUN.size/(1024*1024*1024)),1))+ "GB" + " : Used = " +([Math]::Round( ((get-nalunoccupiedsize $LUN.path)/(1024*1024*1024)),1))+"GB" + " = " + $perc + "%"
                              Add-Content $file $luninfo
                              $VolOverSub=$VolOverSub+[double]$LUN.Size
                        }
              
                  }

            }
      }  
      $aggrinfo2 = "Aggr End  : " + $aggr.Name
      Add-Content $file $aggrinfo2
}

--------------------------------

Re: Issues running a ps script with an account other than the domain admin

Thanks, Alan.  There is nothing wrong with your script.  You're using HTTP/HTTPS connections, and in my environment I am able to run the script with root, domain admin, and alternate domain credentials as defined previously, regardless of the account with which I am logged into Windows 2008.  Trying on Windows 7 also works with all credential sets.

If you'd like to investigate further, I suggest you reproduce the connection failure by manually invoking Connect-NaController.  Then when you get the "API invoke failed" error, see if there is any further info by entering $error[0].Exception.InnerException

Re: Issues running a ps script with an account other than the domain admin

Hi Clinton

Sorry was away for the weekend so this is my first chance to test this out so this is my error

when trying to connect as root under the sysadmin account

The remote server returned an error: (407) Proxy Authentication Required.

Set my IE under sysadmin not to use the proxy server and hey now i can connect as root via the powershell script.

Hmm interesting, i assume then to get around this i probably should change to using RPC connection method so that when i push this script out to mulitple sites i dont have to worry if the proxy server has been set for the account i am using.

So now to find i need to check the SDK help to see how to change this to RPC connection method

Cheers

Alan

Re: Issues running a ps script with an account other than the domain admin

Hi, Alan.  That explains why some user accounts could not connect; they must have different HTTP proxy settings.

Two other Toolkit users hit this last week:

http://communities.netapp.com/thread/11891

The workaround, until I adjust the Toolkit, is to add this to the top of your script:

[System.Net.WebRequest]:Smiley Very HappyefaultWebProxy = $null

Re: Issues running a ps script with an account other than the domain admin

Toolkit 1.3, posted today, does not use the system HTTP proxy settings.  Hence the workaround should no longer be necessary.

Re: Issues running a ps script with an account other than the domain admin

naConnect is not possible, but ssh works.

> $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $admin,$spass


> $l1=Connect-NaController lannapfs9001.eu.adglob.net -Credential $cred
Connect-NaController : Could not connect to lannapfs9001.eu.adglob.net on port 80 for protocol HTTP.
Bei Zeile:1 Zeichen:25
+ $l1=Connect-NaController <<<<  lannapfs9001.eu.adglob.net -Credential $cred
    + CategoryInfo          : InvalidResult: (lannapfs9001.eu.adglob.net:NaController) [Connect-NaController], NaConnectionException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController

> $error[0].Exception.InnerException
Timeout für Vorgang überschritten

> telnet lannapfs9001.eu.adglob.net 80

HTTP/1.1 400 Invalid request
Server: NetApp/7.3.1.1P9
Date: Wed, 02 Feb 2011 10:02:57 GMT
Content-Length: 114
Content-Type: text/html

<HTML>
<HEAD>
<TITLE>Error</TITLE>
</HEAD>
<BODY>
<H1>Error 400</H1>

Invalid request

</BODY>
</HTML>


Verbindung zu Host verloren.

P> Invoke-NaSsh -Controller lannapfs9001.eu.adglob.net -Credential $cred df -g vol45imx -verbose
AUSFÜHRLICH: SSH invoke: df -g vol45imx
AUSFÜHRLICH: SSH user: jwippel
AUSFÜHRLICH: SSH client version: SSH-2.0-SharpSSH-1.1.1.13-JSCH-0.1.28
AUSFÜHRLICH: SSH server version: SSH-2.0-OpenSSH_3.4p1
AUSFÜHRLICH: SSH cipher: 3des-cbc
AUSFÜHRLICH: SSH MAC: hmac-sha1
AUSFÜHRLICH: SSH host: 10.188.45.57
AUSFÜHRLICH: SSH host key type: ssh-rsa
Filesystem               total       used      avail capacity  Mounted on
/vol/vol45imx/            79GB       76GB        2GB      96%  /vol/vol45imx/
/vol/vol45imx/.snapshot        0GB        0GB        0GB     ---%  /vol/vol45imx/.snapshot

Please also tell me how to use SSH host key type: ssh-dsa !