Solved: cifs permissions in a vfiler

cscott · ‎2013-07-30

Hello,

In trying to build a script to capture CIFS permissions, I am getting the following error:

Get-NaCifsShareAcl : Unable to find API : cifs-share-acl-list-iter-start for vfiler VFILER_NAME

Is it possible to pull the ACL list for a share from a vfiler? This works from the physical frame without issue and I can enumerate the shares themselves without issue, it is just the ACL that is not working.

I have attached a copy of the script, which is just a start, no error checking, formatting is not proper, etc. What I need is to build an output of:

physical frame name / vfiler name

share name

Username AccessRights

group1 full control

group2 read

I know that the file system permissions are more significant, however we are responsible for providing the share permisssions, the Windows admins are responsible after that.

I have tested from my laptop using Windows 7 and a Windows server 2008r2 system, both running version 2.1.0.205 of the toolkit, the ONTAP version is 8.1.2p4

-Scott

madden · ‎2013-08-06

Hi Scott,

This underlying API used by the cmdlet "cifs-share-acl-list-iter-start" does not appear to be implemented in the vfiler context. The next best option is probably to use invoke-nassh to run cifs shares in the vfiler context and parsethat CLI output. Not ideal, but at least a way forward.

Cheers,

Chris

Message was edited by: ChristopherAustin Madden UPDATE: A colleague has done exactly what I mentioned above and will post the powershell code later today.

View solution in original post

madden · ‎2013-08-06

Hi Scott,

This underlying API used by the cmdlet "cifs-share-acl-list-iter-start" does not appear to be implemented in the vfiler context. The next best option is probably to use invoke-nassh to run cifs shares in the vfiler context and parsethat CLI output. Not ideal, but at least a way forward.

Cheers,

Chris

Message was edited by: ChristopherAustin Madden UPDATE: A colleague has done exactly what I mentioned above and will post the powershell code later today.

cscott · ‎2013-08-06

Thank you Chris,

I was afraid that was the answer, the ACL cmdlet is so much nicer to work with. Oh well, off to get it working using another avenue!.

-Scott

mirko · ‎2013-08-06

Hi Scott,

I've created a CLI parser a few days ago.

I needed to rename a qtree and recreate a corresponding cifs share & NFS exports.

I bumped into this burt and wrote this CLI parser. It still needs some testing, but it comes pretty close.

# container for the ACL result

$global:aclList = @()

##################################################################

# THIS Function IS PURELY FOR A BURT IN DATAONTAP 8.0 and 8.1

# It is fixed in 8.2

# The API calls fail for the cmdlet Get-NaCifsShareAcl within vfiler context

# This way we detect the version and use a CLI parser instead

# Creation : mirko@netap.com

##################################################################

# This function parses the output of CLI "vfiler run cifs shares"

function parseCifsSharesOutput($output){

# get the list of the shares (this command is not affected by the burt)

$shares = Get-NaCifsShare

$acls = @()

$tempshare = ""

$shareObj = New-Object DataONTAP.Types.Cifs.AccessRightsInfo

# parse the lines

$lines = $output -split "`n"

foreach($line in $lines){

# if were are past the "----" lines, we can can start parsing

if($infostarted){

# it the line is start with a "tab", it's an acl

if($line.StartsWith("`t")){

# ACL found

$line = $line.Trim()

$acl = $line.Split("/")

if($acl.Count -eq 2){

$newacl = New-Object DataONTAP.Types.Cifs.AccessRightsInfo

$newacl.UserName = $acl[0].Trim()

$newacl.AccessRights = $acl[1].Trim()

$acls[$acls.Length-1].UserAclInfo += $newacl

}

# if the line does not start with "tab", it is a new share entry

}else{

# new share found

$line = $line.Trim()

# ignore blank lines (normally at the end)

if($line -ne ""){

$share = $line -split "\s+/"

$tempshare = $shares | where{$_.ShareName -eq $share[0].Trim()}

if($tempshare){

$shareObj = New-Object DataONTAP.Types.Cifs.CifsShareAclInfo

$shareObj.ShareName = $tempshare.ShareName

$acls += $shareObj

}

# we ignore all lines until we come accross "----"

if($line.StartsWith("----")){

$infostarted = $true

}

# we must use a global variabel to get this out of the function scope

$global:aclList = $acls

}

# this is a replacement for get-nacifsshareacl

function getNaCifsShareAcl($vfiler){

# Get the version

$version = Get-NaSystemVersion

if ($version.Contains("8.0") -or $version.Contains("8.1"))

{

$useCli = $true

}

else

{

$useCli = $false

}

if($useCli){

# because of the burt, we get the ACL info through CLI instead

$command = "vfiler run $vfiler cifs shares"

Invoke-NaSsh -Command $command -WarningVariable warningMsg -OutVariable outMsg -ErrorVariable errorMsg 2>&1 | Out-Null

# if the command was errorless

if(-not $warningMsg -and -not $errorMsg){

parseCifsSharesOutput $outMsg

}else{

Throw "Warning : $warningMsg`nError : $errorMsg"

}

}else{

$global:aclList = Get-NaCifsShareAcl

}

$global:aclList | ft

}

cscott · ‎2013-08-08

Thanks Mirko,

I will take a look at this, I appreciate you posting it for me.

-Scott