Microsoft Virtualization Discussions

cifs permissions in a vfiler

cscott
6,413 Views

Hello,

     In trying to build a script to capture CIFS permissions, I am getting the following error:

Get-NaCifsShareAcl : Unable to find API : cifs-share-acl-list-iter-start for vfiler  VFILER_NAME

Is it possible to pull the ACL list for a share from a vfiler?  This works from the physical frame without issue and I can enumerate the shares themselves without issue, it is just the ACL that is not working.

I have attached a copy of the script, which is just a start, no error checking, formatting is not proper, etc.  What I need is to build an output of:

physical frame name / vfiler name

share name

Username     AccessRights

group1          full control

group2          read

I know that the file system permissions are more significant, however we are responsible for providing the share permisssions, the Windows admins are responsible after that.

I have tested from my laptop using Windows 7 and a Windows server 2008r2 system, both running version 2.1.0.205 of the toolkit, the ONTAP version is 8.1.2p4

-Scott

1 ACCEPTED SOLUTION

madden
6,413 Views

Hi Scott,

This underlying API used by the cmdlet "cifs-share-acl-list-iter-start" does not appear to be implemented in the vfiler context.  The next best option is probably to use invoke-nassh to run cifs shares in the vfiler context and parsethat CLI output.  Not ideal, but at least a way forward.

Cheers,

Chris

Message was edited by: ChristopherAustin Madden UPDATE: A colleague has done exactly what I mentioned above and will post the powershell code later today.

View solution in original post

4 REPLIES 4

madden
6,414 Views

Hi Scott,

This underlying API used by the cmdlet "cifs-share-acl-list-iter-start" does not appear to be implemented in the vfiler context.  The next best option is probably to use invoke-nassh to run cifs shares in the vfiler context and parsethat CLI output.  Not ideal, but at least a way forward.

Cheers,

Chris

Message was edited by: ChristopherAustin Madden UPDATE: A colleague has done exactly what I mentioned above and will post the powershell code later today.

cscott
6,413 Views

Thank you Chris,

     I was afraid that was the answer, the ACL cmdlet is so much nicer to work with.  Oh well, off to get it working using another avenue!.

-Scott

mirko
6,413 Views

Hi Scott,

I've created a CLI parser a few days ago.

I needed to rename a qtree and recreate a corresponding cifs share & NFS exports.

I bumped into this burt and wrote this CLI parser.  It still needs some testing, but it comes pretty close.

# container for the ACL result

$global:aclList = @()

##################################################################

# THIS Function IS PURELY FOR A BURT IN DATAONTAP 8.0 and 8.1

# It is fixed in 8.2

# The API calls fail for the cmdlet Get-NaCifsShareAcl within vfiler context

# This way we detect the version and use a CLI parser instead

# Creation : mirko@netap.com

##################################################################

# This function parses the output of CLI "vfiler run cifs shares"

function parseCifsSharesOutput($output){

    # get the list of the shares (this command is not affected by the burt)

    $shares = Get-NaCifsShare

    $acls = @()

    $tempshare = ""

    $shareObj = New-Object DataONTAP.Types.Cifs.AccessRightsInfo

    # parse the lines

    $lines = $output -split "`n"

    foreach($line in $lines){

        # if were are past the "----" lines, we can can start parsing

        if($infostarted){

            # it the line is start with a "tab", it's an acl

            if($line.StartsWith("`t")){

                # ACL found

                $line = $line.Trim()

                $acl = $line.Split("/")

                if($acl.Count -eq 2){

                    $newacl = New-Object DataONTAP.Types.Cifs.AccessRightsInfo

                    $newacl.UserName = $acl[0].Trim()

                    $newacl.AccessRights = $acl[1].Trim()

                    $acls[$acls.Length-1].UserAclInfo += $newacl

                }

            # if the line does not start with "tab", it is a new share entry

            }else{

                # new share found

                $line = $line.Trim()

                # ignore blank lines (normally at the end)

                if($line -ne ""){

                    $share = $line -split "\s+/"

                    $tempshare = $shares | where{$_.ShareName -eq $share[0].Trim()}

                    if($tempshare){

                        $shareObj = New-Object DataONTAP.Types.Cifs.CifsShareAclInfo

                        $shareObj.ShareName = $tempshare.ShareName

                        $acls += $shareObj

                    }

                }

            }

        }

        # we ignore all lines until we come accross "----"

        if($line.StartsWith("----")){

            $infostarted = $true

        }

    }

    # we must use a global variabel to get this out of the function scope

    $global:aclList = $acls

}

# this is a replacement for get-nacifsshareacl

function getNaCifsShareAcl($vfiler){

    # Get the version

    $version = Get-NaSystemVersion

    if ($version.Contains("8.0") -or $version.Contains("8.1"))

    {

        $useCli = $true

    }

    else

    {

        $useCli = $false

    }   

    if($useCli){

        # because of the burt, we get the ACL info through CLI instead

        $command = "vfiler run $vfiler cifs shares"

        Invoke-NaSsh -Command $command -WarningVariable warningMsg -OutVariable outMsg -ErrorVariable errorMsg 2>&1 | Out-Null

        # if the command was errorless

        if(-not $warningMsg -and -not $errorMsg){

            parseCifsSharesOutput $outMsg

        }else{

            Throw "Warning : $warningMsg`nError : $errorMsg"

        }

    }else{

        $global:aclList = Get-NaCifsShareAcl

    }

    $global:aclList | ft

}

cscott
6,413 Views

Thanks Mirko,

     I will take a look at this, I appreciate you posting it for me.

-Scott

Public