SnapDrive Windows Service Account capabilities

tfuchs · ‎2009-08-25

Hi,

I'm sure this question was asked several times before and I'm also sure that I will write a KB article if there is a solution... 🙂

IHAC who doesn't want to add the SnapDrive service account into the filers local administrator group. He wants to know if it is possible to create a new role on the filer with the appropriate capabilities to make SnapDrive work but what is not able to administer the whole filer.

Is it possible and if yes what are the required capabilities ?

Any help is appreciated.

Thanks

Thorsten

nagendrk · ‎2009-08-25

If the end goal is to set access control, have you tried using this STORACL - http://now.netapp.com/NOW/download/tools/storeacl/

satishv · ‎2009-08-25

Found this in the archive on the list of APIs used by SDW.

tfuchs · ‎2009-08-28

Hi,

but I think even if you use storacl the SDW service account still needs administrative rights on the netapp system to make SnapDrive work right ?

Thanks

Thorsten

nagendrk · ‎2009-09-04

Not necessarily. Here is what I could gather. Try this out...

Storage System setup:

----------------------------------

1. If SnapDrive system and Storage system, both are in the same Windows domain and CIFS is running on the Storage System,

Create a domain user "sdadmin".

useradmin domainuser add sdadmin -g SDAdmins

Or

If SnapDrive system and Storage system, both are not in the same Windows domain or not in the domain,

useradmin user add sdadmin -g SDAdmins

Remember the password for sdadmin.

2. Create a Role for SnapDrive

useradmin role add SnapDrive -a login-*,api-*

Or set specific API capabilities

useradmin role add SnapDrive -a login-*,api-lun-*,api-snapshot-*,api-iscsi-*,api-volume-*,api-snapmirror-*,api-snapvault-*,api-ems-*,api-igroup-*,api-qtree-*,api-fcp-adapter-*,api-license-*,api-system-*,api-aggr-*

Note: It’s better to add specific list of APIs from the table, to prevent particular API calls.

Example: If admin wants to prevent LUN expansion, then add all lun-* APIs listed in the table, except lun-resize in the role.

3. useradmin group modify SDAdmins -r SnapDrive

SnapDrive Setup if you want to use RPC to send ZAPIs to storage system:

-------------------------------------------------------------------------------------------

1. Add a local administrator account.

If SnapDrive system is in same domain as Storage System, add domain user "sdadmin" to local "Administrators" group.

If SnapDrive system is not in the domain or not in the same domain as Storage System, add a local user "sdadmin" (same username and password as one on the storage system) and add it to local "Administrators" group.

2. Change SnapDrive service logon account to same user (Domain or local), and enter the password.

Here is how you can do it.

2a. Go to Program->Administrative Tools -> Services

or

Computer Management -> Services and Applications -> Services

2b. Double Click on SnapDrive service.

2c. Click on "LogOn" tab.

2d. Setup "This account" and password.

SnapDrive Setup if you want to use HTTP(s) to send ZAPIs to storage system (only available with SDW 6.0):

----------------------------------------------------------------------------------------------------------------------------------

1. SnapDrive service LogOn account could be any user who is member of the local "Administrators" group.

2. Go to SnapDrive MMC. Right Click on the host name, and select "Transport Protocol Settings".

Add/Change the Storage Systems and protocol settings, which also requires you to enter username and password. Username and password will be same as the user (either domain or local on Storage) added in SDAdmins group in Storage System setup step.