Microsoft Virtualization Discussions

Does the Set-NaCifs cmdlet create a computer object?

MATT_STOK
4,178 Views

Will the Set-NaCifs cmdlet create the computer object if it does not already exist in the domain, when it is run against a filer with NetApp Release 8.1.3P1? 

I am running the following powershell command...  Set-NaCifs -CifsServer filer-e01 -AuthType ad -SecurityStyle multiprotocol -Domain my.domain.com -User svc_user -Password MyPassw0rd -OrganizationalUnit OU=NAS,OU=Storage

I have NOT created the computer object in the OU and want to know if it will automatically get created in this OU if it is not there.  The account that I am supplying in the command does have rights to create computer objects in that OU.

5 REPLIES 5

vinith
4,178 Views

this cmdlet is the equivalent of 'cifs setup' on ontap cli, it should create the computer account in the Active Directory domain.

MATT_STOK
4,178 Views

If I run this command AND the computer account is NOT created,

PS C:\Users\Administrator> Set-NaCifs -CifsServer filer-e01 -AuthType ad -SecurityStyle multiprotocol -Domain my.domain.com -User svc_user -Password MyPassw0rd -OrganizationalUnit OU=NAS,OU=Storage

I get the following error:

Set-NaCifs : Unknown error.  Check your input and try again.

At line:1 char:1

+ Set-NaCifs -CifsServer filer-e01 -AuthType ad -SecurityStyle multiprotocol - ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidOperation: (1.1.1.1:NaController) [Set-NaCifs], EINTERNALERROR

    + FullyQualifiedErrorId : ApiException,DataONTAP.PowerShell.SDK.Cmdlets.Cifs.SetNaCifs

If I run the exact same command after creating the computer account manually, it succeeds without any errors. 

Thoughts as to why the cmdlet doesn't appear to be creating the computer account? 

I used the service account that I am specifying in the cmdlet to manually create the computer account, so I know that it has rights to do so.  The service account has full control permissions of the OU that I am trying to create the computer account in.

The filer that I am running this on is an FAS3170 running NetApp Release 8.1.3P1 7-Mode

SeanLuce
4,178 Views

Hey Matt,

You also need to add the following rights:

ALLOW change password and ALLOW Write public information

More details in this KB article:

https://kb.netapp.com/support/index?page=content&id=2011676&locale=en_US

If you are still stuck, give me a call.

Sean

OST

MATT_STOK
4,178 Views

Thanks for the information Sean!  If the service account has full control rights on the OU, and we can use the service account to manually create the computer account, wouldn't this be suffecient rights for that account when being used with the Set-NaCifs cmdlet?

SeanLuce
4,178 Views

To answer your question: No.

The user needs different rights depending on where you are authenticating from.

If you are authenticating from within windows/domain, you are using private keys.  However, if you are authenticating from outside of windows, you are using public keys.

From the KB article referenced above:

Note: The "ALLOW" requirements above are due to Microsoft publishing public and private Kerberos keys. Windows uses private keys and Data ONTAP uses public keys.

I did verify this in my lab.  I created a service account and tried to use the regular "cifs setup" from the ONTAP CLI.  It was not able to create the computer account and provided a more usable error message.

Public