Microsoft Virtualization Discussions

cifs permissions in a vfiler

cscott

Hello,

     In trying to build a script to capture CIFS permissions, I am getting the following error:

Get-NaCifsShareAcl : Unable to find API : cifs-share-acl-list-iter-start for vfiler  VFILER_NAME

Is it possible to pull the ACL list for a share from a vfiler?  This works from the physical frame without issue and I can enumerate the shares themselves without issue, it is just the ACL that is not working.

I have attached a copy of the script, which is just a start, no error checking, formatting is not proper, etc.  What I need is to build an output of:

physical frame name / vfiler name

share name

Username     AccessRights

group1          full control

group2          read

I know that the file system permissions are more significant, however we are responsible for providing the share permisssions, the Windows admins are responsible after that.

I have tested from my laptop using Windows 7 and a Windows server 2008r2 system, both running version 2.1.0.205 of the toolkit, the ONTAP version is 8.1.2p4

-Scott

1 ACCEPTED SOLUTION

madden

Hi Scott,

This underlying API used by the cmdlet "cifs-share-acl-list-iter-start" does not appear to be implemented in the vfiler context.  The next best option is probably to use invoke-nassh to run cifs shares in the vfiler context and parsethat CLI output.  Not ideal, but at least a way forward.

Cheers,

Chris

Message was edited by: ChristopherAustin Madden UPDATE: A colleague has done exactly what I mentioned above and will post the powershell code later today.

View solution in original post

4 REPLIES 4

mirko

Hi Scott,

I've created a CLI parser a few days ago.

I needed to rename a qtree and recreate a corresponding cifs share & NFS exports.

I bumped into this burt and wrote this CLI parser.  It still needs some testing, but it comes pretty close.

# container for the ACL result

$global:aclList = @()

##################################################################

# THIS Function IS PURELY FOR A BURT IN DATAONTAP 8.0 and 8.1

# It is fixed in 8.2

# The API calls fail for the cmdlet Get-NaCifsShareAcl within vfiler context

# This way we detect the version and use a CLI parser instead

# Creation : mirko@netap.com

##################################################################

# This function parses the output of CLI "vfiler run cifs shares"

function parseCifsSharesOutput($output){

    # get the list of the shares (this command is not affected by the burt)

    $shares = Get-NaCifsShare

    $acls = @()

    $tempshare = ""

    $shareObj = New-Object DataONTAP.Types.Cifs.AccessRightsInfo

    # parse the lines

    $lines = $output -split "`n"

    foreach($line in $lines){

        # if were are past the "----" lines, we can can start parsing

        if($infostarted){

            # it the line is start with a "tab", it's an acl

            if($line.StartsWith("`t")){

                # ACL found

                $line = $line.Trim()

                $acl = $line.Split("/")

                if($acl.Count -eq 2){

                    $newacl = New-Object DataONTAP.Types.Cifs.AccessRightsInfo

                    $newacl.UserName = $acl[0].Trim()

                    $newacl.AccessRights = $acl[1].Trim()

                    $acls[$acls.Length-1].UserAclInfo += $newacl

                }

            # if the line does not start with "tab", it is a new share entry

            }else{

                # new share found

                $line = $line.Trim()

                # ignore blank lines (normally at the end)

                if($line -ne ""){

                    $share = $line -split "\s+/"

                    $tempshare = $shares | where{$_.ShareName -eq $share[0].Trim()}

                    if($tempshare){

                        $shareObj = New-Object DataONTAP.Types.Cifs.CifsShareAclInfo

                        $shareObj.ShareName = $tempshare.ShareName

                        $acls += $shareObj

                    }

                }

            }

        }

        # we ignore all lines until we come accross "----"

        if($line.StartsWith("----")){

            $infostarted = $true

        }

    }

    # we must use a global variabel to get this out of the function scope

    $global:aclList = $acls

}

# this is a replacement for get-nacifsshareacl

function getNaCifsShareAcl($vfiler){

    # Get the version

    $version = Get-NaSystemVersion

    if ($version.Contains("8.0") -or $version.Contains("8.1"))

    {

        $useCli = $true

    }

    else

    {

        $useCli = $false

    }   

    if($useCli){

        # because of the burt, we get the ACL info through CLI instead

        $command = "vfiler run $vfiler cifs shares"

        Invoke-NaSsh -Command $command -WarningVariable warningMsg -OutVariable outMsg -ErrorVariable errorMsg 2>&1 | Out-Null

        # if the command was errorless

        if(-not $warningMsg -and -not $errorMsg){

            parseCifsSharesOutput $outMsg

        }else{

            Throw "Warning : $warningMsg`nError : $errorMsg"

        }

    }else{

        $global:aclList = Get-NaCifsShareAcl

    }

    $global:aclList | ft

}

cscott

Thanks Mirko,

     I will take a look at this, I appreciate you posting it for me.

-Scott

madden

Hi Scott,

This underlying API used by the cmdlet "cifs-share-acl-list-iter-start" does not appear to be implemented in the vfiler context.  The next best option is probably to use invoke-nassh to run cifs shares in the vfiler context and parsethat CLI output.  Not ideal, but at least a way forward.

Cheers,

Chris

Message was edited by: ChristopherAustin Madden UPDATE: A colleague has done exactly what I mentioned above and will post the powershell code later today.

View solution in original post

cscott

Thank you Chris,

     I was afraid that was the answer, the ACL cmdlet is so much nicer to work with.  Oh well, off to get it working using another avenue!.

-Scott

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public