Changing a vservers CIFS password with new-nccifspassword?

RichardSopp · ‎2012-12-18

Hi,

I'm currently reviewing automation opportunities within the day to day administration of a Clustered ONTAP CIFS server.

One of the processes I'm looking to automate is the vserver cifs password-reset operation which updates the password of the vservers computer account in the Active Directory domain.

Any domain admin worht their salt will tell you they perform house keeping on the domain by looking for machine account passwords that have not be changed in X days and deleting those accounts older than X.

The value of X will vary depending on your organizations security and risk profile.

To achieve this account password update in clustered ONTAP you use the vserver cifs password-reset command.

This would appear to map to the new-nccifspassword cmdlet.

However, unlike the CLI which asks you for credentials of a domain user with permissions to reset password on the OU where the computer account resides, the new-nccifspassword cmdlet does not accept such parameters.

On the controller in the log file /mroot/etc/log/mlog/mgwd.log you can see both the ontapi operation and the CLI operation but the ontapi stays at pending and never changes to a success state.

Certain information in the log extracts is masked for obvious reasons.

ONTAPI

0000001c.0001084c 000d0193 Tue Dec 18 2012 16:21:11 -05:00 [kern_mgwd:info:823] ontapi :: xxx.xxx.xxx.xxx:: admin :: <netapp version='1.7' xmlns='http://www.netapp.com/filer/admin' vfiler='xxxxxxxxx'><cifs-password-change /></netapp>^M :: Pending

CLI

0000001c.00010879 000d053c Tue Dec 18 2012 16:22:45 -05:00 [kern_mgwd:info:823] ssh :: xxx.xxx.xxx.xxx:: admin :: vserver cifs password-reset -vserver xxxxxxxxxx:: Pending

0000001c.0001087f 000d055e Tue Dec 18 2012 16:22:48 -05:00 [kern_mgwd:info:823] ssh :: xxx.xxx.xxx.xxx :: admin :: vserver cifs password-reset -vserver xxxxxxxxxx:: Success

Is there a deficiency in the cmdlet or should I be using the invoke-ssh cmdlet instead for this purpose?

Any help would be appreciated

Richard

bsti · ‎2012-12-19

Actually, the New-NcCifsPassword cmdlet maps to the cifs-password-change API. Which is slightly different. It takes no input parameters and I believe just instructs the machine to generate a new password and update AD.

Have you tried: Reset-NcCifsPassword

THis may be what you are looking for.

RichardSopp · ‎2012-12-24

bsti - you're right.

My CLI example was wrong (note to self: don't try throwing something together at the end of a 14 hour day).

New-NcCifsPassword was the cmdlet I was after as I want the equivalent of 'vserver cifs password change'. In my mind this is the equivalent of the 'cifs changefilerpswd' command in 7-mode.

The Reset-NcCifsPassword cmdlet would come in useful to sync the local machine acocunt password and the domain machine account password, and is a much more elegant solution than having to re-run 'cifs setup' in 7-mode.

The notable behavior in the /mroot/etc/log/mlog/mgwd.log was interesting because it reported pending and never success.

As in most cases there is more than one way to get confirmation that the operation was a sucess so I wrote a short AD query to determine the age of the password on the machine account in the domain.

Problem solved.

vinith · ‎2012-12-20

Maybe you can try something like this,

Reset-NcCifsPassword -Controller vfiler1 -AdminUsername vinith -Password %^!%%!^