Microsoft Virtualization Discussions

Set-NcCIfsSecurity HELP

drwoodberry
8,968 Views

I am trying to set SMB signing on my CIFS vserver. Every time I do so, I get an error. See below. I have tried many different methods, trying to pipe as well. Nothing. I have even tried setting $bool = $true and using $bool

 

I am running 8.3.2P2 with the latest powershell toolkit.

 

 

Get-NcVserver $cifsVserver | Set-NcCifsSecurity -IsSigningRequired $true
Set-NcCifsSecurity : Value cannot be null.
Parameter name: input
At line:1 char:30
+ ... -NcVserver $cifsVserver | Set-NcCifsSecurity -IsSigningRequired $true
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-NcCifsSecurity], ArgumentNullException
+ FullyQualifiedErrorId : System.ArgumentNullException,DataONTAP.C.PowerShell.SDK.Cmdlets.Cifs.SetNcCifsSecurity

 

Set-NcCifsSecurity -IsSigningRequired $true -VserverContext $cifsServerName
Set-NcCifsSecurity : Value cannot be null.
Parameter name: input
At line:1 char:1
+ Set-NcCifsSecurity -IsSigningRequired $true -VserverContext $cifsServ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-NcCifsSecurity], ArgumentNullException
+ FullyQualifiedErrorId : System.ArgumentNullException,DataONTAP.C.PowerShell.SDK.Cmdlets.Cifs.SetNcCifsSecurity

 

 

Set-NcCifsSecurity -IsSigningRequired true -VserverContext $cifsServerName
Set-NcCifsSecurity : Cannot convert 'System.String' to the type 'System.Nullable`1[System.Boolean]' required by parameter 'IsSigningRequired'.
At line:1 char:39
+ Set-NcCifsSecurity -IsSigningRequired true -VserverContext $cifsServe ...
+ ~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-NcCifsSecurity], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgument,DataONTAP.C.PowerShell.SDK.Cmdlets.Cifs.SetNcCifsSecurity

1 ACCEPTED SOLUTION

asulliva
8,964 Views

Hello @drwoodberry,

 

You'll want to pipe "Get-NcCifsSecurity" into "Set-NcCifsSecurity"...

 

Get-NcVserver $svm | Get-NcCifsSecurity | Set-NcCifsSecurity -IsSigningRequired:$true

Hope that helps.

 

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

12 REPLIES 12

asulliva
8,965 Views

Hello @drwoodberry,

 

You'll want to pipe "Get-NcCifsSecurity" into "Set-NcCifsSecurity"...

 

Get-NcVserver $svm | Get-NcCifsSecurity | Set-NcCifsSecurity -IsSigningRequired:$true

Hope that helps.

 

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

drwoodberry
8,930 Views

Thanks again @asulliva!

 

Why does it have to be piped though? The Set-NcCifsSecurity commandlet has a parameter for the vserver. I did attempt Get-NcCifsSecurity -VserverContext $svm | Set-NcCifsSecurity -IsSigningRequries $true but I do not think that worked either.

 

Just a little confused on the logic, but do appreciate the help!

asulliva
8,928 Views

@drwoodberry wrote:

Just a little confused on the logic


Me too...I'm opening a bug against the behavior, it's definitely not typical.

 

Since you found the bug, I'd be happy to mail you some stickers, just send me a private message with your mailing address : )

 

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

drwoodberry
8,923 Views

Thank you,

 

And will do. 

kodavali
8,752 Views

I tried this way and it worked

 

Get-NcCifsSecurity -VserverContext infra | Set-NcCifsSecurity -IsSigningRequired $False

 

Not sure if this is the mothod works for you

drwoodberry
8,729 Views

By default it was set to false. Did you try changing it to $true and see if it worked? That syntax did not work for me when trying to set to $true. 

kodavali
8,723 Views

Yes it worked for me. Only difference is i used "$True" instead "$true" (all small characters). when i use all small characters it did not set the value.

 

Here is the output.

 

PS C:\test> Get-NcCifsSecurity -VserverContext infra|format-list


IsAesEncryptionEnabled                : False
IsPasswordComplexityRequired          : True
IsSigningRequired                     : False
IsSmbEncryptionRequired               : False
KerberosClockSkew                     : 5
KerberosKdcTimeout                    : 3
KerberosRenewAge                      : 7
KerberosTicketAge                     : 10
LmCompatibilityLevel                  : lm_ntlm_ntlmv2_krb
NcController                          : 10.195.49.190
SessionSecurityForAdLdap              :
UseStartTlsForAdLdap                  : False
Vserver                               : infra
IsAesEncryptionEnabledSpecified       : True
IsPasswordComplexityRequiredSpecified : True
IsSigningRequiredSpecified            : True
IsSmbEncryptionRequiredSpecified      : True
KerberosClockSkewSpecified            : True
KerberosKdcTimeoutSpecified           : True
KerberosRenewAgeSpecified             : True
KerberosTicketAgeSpecified            : True
UseStartTlsForAdLdapSpecified         : True

 

 

PS C:\test> Get-NcCifsSecurity -VserverContext infra | Set-NcCifsSecurity -IsSigningRequired $True
WARNING: 'KerberosKdcTimeout' parameter is not available for Data ONTAP 9.0 and up. Ignoring 'Kerberos
KdcTimeout'.

KerberosClockSkew          KerberosRenewAge         KerberosTicketAge
-----------------          ----------------         -----------------
                5                         7                        10

 

PS C:\test> Get-NcCifsSecurity -VserverContext infra|format-list


IsAesEncryptionEnabled                : False
IsPasswordComplexityRequired          : True
IsSigningRequired                     : True
IsSmbEncryptionRequired               : False
KerberosClockSkew                     : 5
KerberosKdcTimeout                    : 3
KerberosRenewAge                      : 7
KerberosTicketAge                     : 10
LmCompatibilityLevel                  : lm_ntlm_ntlmv2_krb
NcController                          : 10.195.49.190
SessionSecurityForAdLdap              :
UseStartTlsForAdLdap                  : False
Vserver                               : infra
IsAesEncryptionEnabledSpecified       : True
IsPasswordComplexityRequiredSpecified : True
IsSigningRequiredSpecified            : True
IsSmbEncryptionRequiredSpecified      : True
KerberosClockSkewSpecified            : True
KerberosKdcTimeoutSpecified           : True
KerberosRenewAgeSpecified             : True
KerberosTicketAgeSpecified            : True
UseStartTlsForAdLdapSpecified         : True

drwoodberry
8,718 Views

Can I ask what version of the toolkit and powershell you are using? I am wondering if it is a bug with my combination of versions. 

 

Sorry, I just re-read your reply about the syntax on the case sensitivity. I did not even think to try that, thank you!

 

Good catch. 

kodavali
8,711 Views

PSTK 4.2

PowerShell 5.1 (Server 2016 TP5)

ONTAP 9.0

coreywanless
7,295 Views

I'm having a similar issue. I think mine is a little different. I need to set the "IsAesEncryptionEnabled" option before joining the NAS to a domain. So some of the fields in the get-nccifssecurity returned object are blank. Thus, when the set command is running gives me that "Set-NcCifsSecurity : Value cannot be null." error message

 

PS > Get-NcCifsSecurity -VserverContext $vserver | format-list


IsAesEncryptionEnabled : False
IsPasswordComplexityRequired :
IsSigningRequired :
IsSmbEncryptionRequired :
KerberosClockSkew :
KerberosKdcTimeout :
KerberosRenewAge :
KerberosTicketAge :
LmCompatibilityLevel : lm_ntlm_ntlmv2_krb
NcController : wdcnagpb
SessionSecurityForAdLdap : none
UseStartTlsForAdLdap : False
Vserver : vspwdcnmpe02
IsAesEncryptionEnabledSpecified : True
IsPasswordComplexityRequiredSpecified : False
IsSigningRequiredSpecified : False
IsSmbEncryptionRequiredSpecified : False
KerberosClockSkewSpecified : False
KerberosKdcTimeoutSpecified : False
KerberosRenewAgeSpecified : False
KerberosTicketAgeSpecified : False
UseStartTlsForAdLdapSpecified : True

drwoodberry
7,288 Views

Have you tried to join to the domain first then setting the option? I would think that since a domain is required for CIFS, that option may not be available until the prerequisites are met.

 

Just a thought. 

coreywanless
7,249 Views

Unfortunately, in my setup I have to apply the setting before joining. The join operation fails otherwise. I setup a work around to perform an ssh command to  set the setting rather than trying to do it through the powershell commandlet.

Public