Microsoft Virtualization Discussions
Microsoft Virtualization Discussions
I am trying to set SMB signing on my CIFS vserver. Every time I do so, I get an error. See below. I have tried many different methods, trying to pipe as well. Nothing. I have even tried setting $bool = $true and using $bool.
I am running 8.3.2P2 with the latest powershell toolkit.
Get-NcVserver $cifsVserver | Set-NcCifsSecurity -IsSigningRequired $true
Set-NcCifsSecurity : Value cannot be null.
Parameter name: input
At line:1 char:30
+ ... -NcVserver $cifsVserver | Set-NcCifsSecurity -IsSigningRequired $true
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-NcCifsSecurity], ArgumentNullException
+ FullyQualifiedErrorId : System.ArgumentNullException,DataONTAP.C.PowerShell.SDK.Cmdlets.Cifs.SetNcCifsSecurity
Set-NcCifsSecurity -IsSigningRequired $true -VserverContext $cifsServerName
Set-NcCifsSecurity : Value cannot be null.
Parameter name: input
At line:1 char:1
+ Set-NcCifsSecurity -IsSigningRequired $true -VserverContext $cifsServ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-NcCifsSecurity], ArgumentNullException
+ FullyQualifiedErrorId : System.ArgumentNullException,DataONTAP.C.PowerShell.SDK.Cmdlets.Cifs.SetNcCifsSecurity
Set-NcCifsSecurity -IsSigningRequired true -VserverContext $cifsServerName
Set-NcCifsSecurity : Cannot convert 'System.String' to the type 'System.Nullable`1[System.Boolean]' required by parameter 'IsSigningRequired'.
At line:1 char:39
+ Set-NcCifsSecurity -IsSigningRequired true -VserverContext $cifsServe ...
+ ~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-NcCifsSecurity], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgument,DataONTAP.C.PowerShell.SDK.Cmdlets.Cifs.SetNcCifsSecurity
Solved! See The Solution
Hello @drwoodberry,
You'll want to pipe "Get-NcCifsSecurity" into "Set-NcCifsSecurity"...
Get-NcVserver $svm | Get-NcCifsSecurity | Set-NcCifsSecurity -IsSigningRequired:$true
Hope that helps.
Andrew
Hello @drwoodberry,
You'll want to pipe "Get-NcCifsSecurity" into "Set-NcCifsSecurity"...
Get-NcVserver $svm | Get-NcCifsSecurity | Set-NcCifsSecurity -IsSigningRequired:$true
Hope that helps.
Andrew
Thanks again @asulliva!
Why does it have to be piped though? The Set-NcCifsSecurity commandlet has a parameter for the vserver. I did attempt Get-NcCifsSecurity -VserverContext $svm | Set-NcCifsSecurity -IsSigningRequries $true but I do not think that worked either.
Just a little confused on the logic, but do appreciate the help!
@drwoodberry wrote:
Just a little confused on the logic
Me too...I'm opening a bug against the behavior, it's definitely not typical.
Since you found the bug, I'd be happy to mail you some stickers, just send me a private message with your mailing address : )
Andrew
Thank you,
And will do.
I tried this way and it worked
Get-NcCifsSecurity -VserverContext infra | Set-NcCifsSecurity -IsSigningRequired $False
Not sure if this is the mothod works for you
By default it was set to false. Did you try changing it to $true and see if it worked? That syntax did not work for me when trying to set to $true.
Yes it worked for me. Only difference is i used "$True" instead "$true" (all small characters). when i use all small characters it did not set the value.
Here is the output.
PS C:\test> Get-NcCifsSecurity -VserverContext infra|format-list
IsAesEncryptionEnabled : False
IsPasswordComplexityRequired : True
IsSigningRequired : False
IsSmbEncryptionRequired : False
KerberosClockSkew : 5
KerberosKdcTimeout : 3
KerberosRenewAge : 7
KerberosTicketAge : 10
LmCompatibilityLevel : lm_ntlm_ntlmv2_krb
NcController : 10.195.49.190
SessionSecurityForAdLdap :
UseStartTlsForAdLdap : False
Vserver : infra
IsAesEncryptionEnabledSpecified : True
IsPasswordComplexityRequiredSpecified : True
IsSigningRequiredSpecified : True
IsSmbEncryptionRequiredSpecified : True
KerberosClockSkewSpecified : True
KerberosKdcTimeoutSpecified : True
KerberosRenewAgeSpecified : True
KerberosTicketAgeSpecified : True
UseStartTlsForAdLdapSpecified : True
PS C:\test> Get-NcCifsSecurity -VserverContext infra | Set-NcCifsSecurity -IsSigningRequired $True
WARNING: 'KerberosKdcTimeout' parameter is not available for Data ONTAP 9.0 and up. Ignoring 'Kerberos
KdcTimeout'.
KerberosClockSkew KerberosRenewAge KerberosTicketAge
----------------- ---------------- -----------------
5 7 10
PS C:\test> Get-NcCifsSecurity -VserverContext infra|format-list
IsAesEncryptionEnabled : False
IsPasswordComplexityRequired : True
IsSigningRequired : True
IsSmbEncryptionRequired : False
KerberosClockSkew : 5
KerberosKdcTimeout : 3
KerberosRenewAge : 7
KerberosTicketAge : 10
LmCompatibilityLevel : lm_ntlm_ntlmv2_krb
NcController : 10.195.49.190
SessionSecurityForAdLdap :
UseStartTlsForAdLdap : False
Vserver : infra
IsAesEncryptionEnabledSpecified : True
IsPasswordComplexityRequiredSpecified : True
IsSigningRequiredSpecified : True
IsSmbEncryptionRequiredSpecified : True
KerberosClockSkewSpecified : True
KerberosKdcTimeoutSpecified : True
KerberosRenewAgeSpecified : True
KerberosTicketAgeSpecified : True
UseStartTlsForAdLdapSpecified : True
Can I ask what version of the toolkit and powershell you are using? I am wondering if it is a bug with my combination of versions.
Sorry, I just re-read your reply about the syntax on the case sensitivity. I did not even think to try that, thank you!
Good catch.
PSTK 4.2
PowerShell 5.1 (Server 2016 TP5)
ONTAP 9.0
I'm having a similar issue. I think mine is a little different. I need to set the "IsAesEncryptionEnabled" option before joining the NAS to a domain. So some of the fields in the get-nccifssecurity returned object are blank. Thus, when the set command is running gives me that "Set-NcCifsSecurity : Value cannot be null." error message
PS > Get-NcCifsSecurity -VserverContext $vserver | format-list
IsAesEncryptionEnabled : False
IsPasswordComplexityRequired :
IsSigningRequired :
IsSmbEncryptionRequired :
KerberosClockSkew :
KerberosKdcTimeout :
KerberosRenewAge :
KerberosTicketAge :
LmCompatibilityLevel : lm_ntlm_ntlmv2_krb
NcController : wdcnagpb
SessionSecurityForAdLdap : none
UseStartTlsForAdLdap : False
Vserver : vspwdcnmpe02
IsAesEncryptionEnabledSpecified : True
IsPasswordComplexityRequiredSpecified : False
IsSigningRequiredSpecified : False
IsSmbEncryptionRequiredSpecified : False
KerberosClockSkewSpecified : False
KerberosKdcTimeoutSpecified : False
KerberosRenewAgeSpecified : False
KerberosTicketAgeSpecified : False
UseStartTlsForAdLdapSpecified : True
Have you tried to join to the domain first then setting the option? I would think that since a domain is required for CIFS, that option may not be available until the prerequisites are met.
Just a thought.
Unfortunately, in my setup I have to apply the setting before joining. The join operation fails otherwise. I setup a work around to perform an ssh command to set the setting rather than trying to do it through the powershell commandlet.