Hi Sjalla,

You are correct, the Set-NaVfilerPassword cmdlet should set the password for the vfiler root user.  I have a few questions:

- What version of Data ONTAP are you using?

- Are you creating the vfiler using the New-NaVfiler cmdlet?  If not, how are you creating the vfiler?

- Are you using any other Set-NaVfiler* cmdlets in your process?  If so, which ones?

Thanks,

Steven

***Edit (with a little more information)***

This is a known issue with ONTAP where the API that Set-NaVfilerPassword uses does not update the password if the root user already exists.  There is no short-term resolution plan.  You can workaround this by connecting directly to the vfiler and using Set-NaUserPassword.

I have tested with Toolkit 1.3 against  7.3.5.1 and 8.0.1P3 (and also earlier releases) with the same result,

no root user.

example script:

------------------

$naCred = (get-credential root)
Connect-NaController fas2040a -credential $naCred
New-NaVol -name testvf_root -aggregate aggr0 -size 100m
New-NaVol -name testvf_vol1 -aggregate aggr0 -size 100m
Set-NaQtree /vol/testvf_vol1 -SecurityStyle "ntfs"

New-NaVfiler testvf -addresses 10.1.1.100 -storage /vol/testvf_root,/vol/testvf_vol1
Set-NaVfilerPassword testvf secret1234
Set-NaVfilerProtocol testvf -DisallowProtocols nfs,iscsi,rsh
Invoke-NaSsh vfiler run testvf secureadmin setup -q ssh 768 512 768

$ipb = New-Object NetApp.Ontapi.Filer.Vfiler73.IpbindingInfo
$ipb.Interface = "e0a"
$ipb.Ipaddress = "10.1.1.100"
$ipb.Netmask = "255.255.255.0"
Set-NaVfilerAddress testvf -IpBindingInfo $ipb
Set-NaVfilerDns testvf -DnsDomain test.local -DnsServerAddresses 10.1.1.50

Thank you for the sample script.  With that, I was able to reproduce the behavior you are describing.  The Set-NaVfilerPassword cmdlet makes use of the vfiler-setup API, which allows us to set up several properties of the vfiler (Set-NaVfilerAddress, Set-NaVfilerAdminHost, Set-NaVfilerDns, and Set-NaVfilerNis also make use of vfiler-setup).  In order for the vfiler-setup API to create the root account, the IP bindings must be passed along in the same API call.  This is not currently how the Set-NaVfilerPassword cmdlet works, so the root account is not created.

The good news is, the forthcoming toolkit 1.4 includes a cmdlet Invoke-NaSystemApi which allows you to send raw API requests to Data ONTAP.  I've copied a sample script below that I have used to successfully create a vfiler with a root account.

Because of the issue I mentioned in my previous post, it is recommended that any subsequent password changes are accomplished by connecting directly to the vfiler and using Set-NaUserPassword.

I hope that helps,

Steven

OK!

Invoke-NaSystemApi is a great addition to the kit.

Does this mean that it is not possible to do this with PowerShell only before tollkit 1.4 is out?

(any estimates on when 1.4 will be out?)

Regards

Sjalla

Hi, Sjalla.  We weren't aware that ONTAP's vfiler-setup API had this bug you identified, so thanks for pointing it out.  Steven's suggestion should work with Toolkit 1.4, due "soon".  You might also try his suggestion of connecting directly to the vfiler and issuing Set-NaUserPassword.  I've also captured an enhancement request to add a vfiler setup cmdlet to a future release that would let you more fully configure a vfiler in one call.

Sjalla, Toolkit 1.4 is available now.  Please let us know how it goes with Invoke-NaSystemApi.