Solved: Problems with PowerShell Toolkit and VFilers

mrettl · ‎2011-07-30

Hi!

I am trying to automate the creation of AD integrated CIFS Servers with VFilers (Multistore) via the PowerShell Toolkit, but I an having some problems with that.

This is my script, so far everything works fine:

$nahost = "netapp01"

$navfiler = "myvfiler1"

$navfiler_root = $navfiler + "_root"

Connect-NaController $nahost

New-NaVol $navfiler_root aggr_data 500m -SpaceReserve none

New-NaVfiler $navfiler -Addresses 10.68.33.251 -Storage $navfiler_root

$b = New-Object NetApp.Ontapi.Filer.Vfiler73.IpbindingInfo

$b.Interface = "e0a"

$b.Ipaddress = "10.68.33.251"

$b.Netmask = "255.255.255.0"

Set-NaVfilerAddress $navfiler -IpBindingInfo $b

Set-NaVfilerDns $navfiler vie.demo 10.68.33.10 10.68.33.9

Set-NaVfilerPassword $navfiler p@ssw0rd

Connect-NaController $nahost -Vfiler $navfiler

When I then try to add the vfiler to the domain, I am getting errors:

Set-NaCifs -CifsServer $navfiler -AuthType ad -SecurityStyle ntfs -Domain mydomain.net -User Administrator -Password p@ssw0rd

Set-NaCifs : Unable to continue with cifs setup, as the /etc/passwd and/or /etc/group files are missing and none of the

alternative authentication methods are enabled.

At line:1 char:11

+ Set-NaCifs <<<< -CifsServer $navfiler -AuthType ad -SecurityStyle ntfs -Domain mydomain.net -User Administrator -Passwor

d p@ssw0rd

+ CategoryInfo : InvalidOperation: (netapp01:NaController) [Set-NaCifs], ECIFS_PASSWD_AND_GROUP_REQUIRED

+ FullyQualifiedErrorId : ApiException,DataONTAP.PowerShell.SDK.Cmdlets.Cifs.SetNaCifs

Then I have tried, for example, to add a local User to the vfiler, but it also fails:

New-NaUser Administrator p@ssw0rd Administrators

New-NaUser : Could not add user <Administrator>. Error: User cannot access group(s)

At line:1 char:11

+ New-NaUser <<<< Administrator p@ssw0rd Administrators

+ CategoryInfo : InvalidOperation: (netapp01:NaController) [New-NaUser], EINTERNALERROR

+ FullyQualifiedErrorId : ApiException,DataONTAP.PowerShell.SDK.Cmdlets.Useradmin.NewNaUser

When I add a user to the hosting-filer, everything works fine.

But I can list the groups of the vfiler...

Get-NaGroup

Name Comment Roles

---- ------- -----

Administrators Members can fully administer the filer {admin}

Backup Operators Members can bypass file security to b... {backup}

Compliance Admini... Members can perform compliance operat... {compliance}

Guests Users granted Guest Access {none}

Power Users Members that can share directories {power}

Replicators not supported {none}

Users Ordinary Users {audit}

Any ideas what can be wrong?

Kind regards,

Matthias

timothyn · ‎2011-08-01

Hi Matthias,

The /etc/passwd & /etc/group files do not exist on new filers/vfilers, so you may have to create them. You can use the "New-NaCifsPasswordFile" and "New-NaCifsGroupFile" commandlets without any arguments to create them. After that "Set-NaCifs" should work.

I've run into the error where I could not create users through a vfiler context in PowerShell/ZAPI but I could through the commandline, but I don't recall what the problem is/was. Anybody else want to chime in with the answer to that one?

View solution in original post

timothyn · ‎2011-08-01

Hi Matthias,

The /etc/passwd & /etc/group files do not exist on new filers/vfilers, so you may have to create them. You can use the "New-NaCifsPasswordFile" and "New-NaCifsGroupFile" commandlets without any arguments to create them. After that "Set-NaCifs" should work.

I've run into the error where I could not create users through a vfiler context in PowerShell/ZAPI but I could through the commandline, but I don't recall what the problem is/was. Anybody else want to chime in with the answer to that one?

mrettl · ‎2011-08-01

Hi Eric,

great, thank you, Set-NaCifs works now.

With New-NaUser I receive the same error. Probably there's anotherone out there who knows about the problem with vfilers and local users?

Kind regards,

Matthias

beam · ‎2011-08-01

Matthias,

Which version of the Toolkit are you using? If you issue a Get-NaUser command to the vfiler, is there a root user in the output? I am able to reproduce the issue on my side if I try New-NaUser before a root user exists on the vfiler. If you are using a pre-1.5 version of the toolkit (toolkit 1.5 was just released at the end of last week), then the Set-NaVfilerPassword cmdlet will fail to create the root user on the vfiler if it does not already exist. See this thread for more information: http://communities.netapp.com/thread/14445

In my test, once the root user was created, New-NaUser worked as expected.

Hope that helps,

Steven

mrettl · ‎2011-08-01

Hi Beam!

I am using v1.5 of the toolkit. The root user exists:

PS C:\Users\Administrator> Get-NaUser

Name Comment Groups

---- ------- ------

root {Administrators}

Regards,

Matthias

beam · ‎2011-08-01

Interesting... does the same issue occur if you use Connect-NaController to connect to the vfiler directly?

$vfiler_ip = "10.68.33.251"

$vfiler_password = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force

$ps_cred = New-Object System.Management.Automation.PSCredential @("root", $vfiler_password)

Connect-NaController $vfiler_ip -HTTP -Credential $ps_cred

-Steven

mrettl · ‎2011-08-02

Hy Steven!

This works!

But I guess it should work running it with "Connect-NaController $nahost -Vfiler $navfiler" either?

Cheers,

Matthias

beam · ‎2011-08-02

I think the problem is the useradmin-* ZAPIs expect the user of the pfiler to exist on the vfiler when called using vfiler tunneling. In my case, I was logged into the pfiler as root, so everything worked for me once the root account was created on the vfiler. Connecting directly to the vfiler avoids this. Once you create the necessary users on the vfiler you should be able to go back to using vfiler tunneling.

-Steven

mrettl · ‎2011-08-02

Fine, works!

I have made comments to the script and published it.

http://communities.netapp.com/docs/DOC-11999

Thanks for your help!

Regards,

Matthias