Command Example - Cifs Setup with Vfiler Support

by goodrum Former NetApp Employee on ‎2012-01-04 02:11 PM

Complete Command and Dictionary Object for setting up CIFS on the array or vfiler context:

  • Array or Vfiler Support
  • Active Directory or Workgroup Modes
  • Active Directory Sites and OU support
  • Create Local Administrator account and local /etc/passwd and /etc/group files if not exist
  • Supports Wins Server setup but requires DNS already configured
  • Set Administrative Domain group for Controller

WFA 1.0.2.3.6 - B5499

Comments
Frequent Contributor

Hi,

I'm using your command in a workflow for provisioning filers. When it tries to create the Administrator Account I get the error: could not add user <Administrator>. Error: User cannot access group(s). The Domain Account I'm using should have the capability to add the Administrator Account. When I do the same cifs setup manually on the filer it is working. Do you have any idea what might be the problem?

13:24:21.520 INFO  [CIFS Setup] ### Command 'CIFS Setup' ###
13:24:22.895 INFO  [CIFS Setup] Executing command: ./CIFS_Setup8056543627688043091.ps1 -AD_Site v998dpv1.v998.intern -Array 7.247.34.130 -ArrayName G100BPMC002.g100.intern -CifsAuthType true -CifsServer v998spnvv1999gl -DomainName v998dpv1.v998.intern -DomainPass PjuTbb9tMo8e -DomainUser q100334 -OrganizationalUnit 'OU=Fileserver, OU=Server, OU=VRZ' -SecurityType multiprotocol -VFilerName v998spnvv1999gl -builtin_admin F!t4st0rage
13:24:23.098 INFO  [CIFS Setup] Get-NaCredentials -Host 7.247.34.130
13:24:23.176 INFO  [CIFS Setup] Connect-NaController (with credentials) -Name 7.247.34.130
13:24:25.114 INFO  [CIFS Setup] Connected to controller
13:24:25.176 INFO  [CIFS Setup] Connected to VFiler: v998spnvv1999gl
13:24:25.208 INFO  [CIFS Setup] Creating the Cifs Server: v998spnvv1999gl
13:24:27.286 INFO  [CIFS Setup] Creating the Local /etc/password file
13:24:29.661 INFO  [CIFS Setup] Creating the Local /etc/group file
13:24:31.192 INFO  [CIFS Setup] Setup CIFS Local Administrator account
13:24:32.098 INFO  [CIFS Setup] Connecting to the Active Directory Domain: v998dpv1.v998.intern in the Site: v998dpv1.v998.intern  under the Organizational Unit: OU=Fileserver, OU=Server, OU=VRZ as ServerName: v998spnvv1999gl
13:24:40.333 ERROR  [CIFS Setup] Could not add user <Administrator>. Error: User cannot access group(s)

14:19:01.651 INFO  [CIFS Setup] ### Command 'CIFS Setup' ###
14:19:03.026 INFO  [CIFS Setup] Executing command: ./CIFS_Setup2162718319172003336.ps1 -AD_Site v998dpv1.v998.intern -Array 7.247.34.130 -ArrayName G100BPMC002.g100.intern -CifsAuthType true -CifsServer v998spnvv1999gl -DomainName v998dpv1.v998.intern -DomainPass PjuTbb9tMo8e -DomainUser q100334 -OrganizationalUnit 'OU=Fileserver, OU=Server, OU=VRZ' -SecurityType multiprotocol -VFilerName v998spnvv1999gl -builtin_admin F!t4st0rage
14:19:03.260 INFO  [CIFS Setup] Get-NaCredentials -Host 7.247.34.130
14:19:03.338 INFO  [CIFS Setup] Connect-NaController (with credentials) -Name 7.247.34.130
14:19:05.307 INFO  [CIFS Setup] Connected to controller
14:19:05.354 INFO  [CIFS Setup] Connected to VFiler: v998spnvv1999gl
14:19:05.417 INFO  [CIFS Setup] Creating the Cifs Server: v998spnvv1999gl
14:19:08.198 INFO  [CIFS Setup] Setup CIFS Local Administrator account
14:19:09.198 INFO  [CIFS Setup] Connecting to the Active Directory Domain: v998dpv1.v998.intern in the Site: v998dpv1.v998.intern  under the Organizational Unit: OU=Fileserver, OU=Server, OU=VRZ as ServerName: v998spnvv1999gl
14:19:35.792 ERROR  [CIFS Setup] Could not add user <Administrator>. Error: User cannot access group(s)

goodrum Former NetApp Employee

Are you using any account other than 'root' for WFA to connect to the Array?  I ask because the cmdlet that is called is a pretty basic command to create a new local user:

$userExists = Get-NAUser

if($builtin_admin -and !($userExists.name -contains "administrator"))

{

    Get-WFALogger -Info -message $("Setup CIFS Local Administrator account")

    New-NaUser Administrator $builtin_admin Administrators

}

Basically, we check to see if the user exists and if it does then we skip the step.  Otherwise, we just try to create the new user.  It seems to be failing here.  Did you notice if the user was created?  One option would be to pre-create the user and then re-test.  Also which version of WFA are you running?  This was last tested on 1.0.2.  I am working on upgrading the Pirate Pack for NAS (which includes this command) to support 1.1.1

Frequent Contributor

Yes, I'm using a user called wfauser on the physical filer. On the vfiler no user exists. I'm using WFA 1.1.1.

The wfauser only has the following capabilities login-http, api-*,security-api-vfiler. I have the impression that this is not sufficient. Am I right?

goodrum Former NetApp Employee

I have a feeling that this is your issue.  I ran into some odd issue in the past (pre 1.0 days) where a non-root user would not have sufficient rights though the user was a member of the admins group.  Can you try with root and see if it is any different?

Frequent Contributor

It took some time but now I could test the New-NaUser cmdlet on the vfiler. You are right. It only works with the root user. Another user with full admin capabilities can't add a user on the vfiler. On the physical filer it works. Unfortunately that's a big issue for me as I can't use the root user in production at the customer. Do you have an idea for a workaround?

Thanks

Stefan

Frequent Contributor

I found a workaround. You can user Invoke-NaSsh -Command "vfiler run vfiler useradmin user add... I think I will try to integrate this into my workflow.

Warning!

This NetApp Community is public and open website that is indexed by search engines such as Google. Participation in the NetApp Community is voluntary. All content posted on the NetApp Community is publicly viewable and available. This includes the rich text editor which is not encrypted for https.

In accordance to our Code of Conduct and Community Terms of Use DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information
  • Copyrighted materials without the permission of the copyright owner

Files and content that do not abide by the Community Terms of Use or Code of Conduct will be removed. Continued non-compliance may result in NetApp Community account restrictions or termination.