Hi,
Our Service Desk want access to the filer to close open files. This seems to be a problem at shift changes where a file remains locked which another user needs to edit. The preferred access tool is "Computer Management" (or alternatively Hyena).
If I put a Service desk user, or the AD group created for the purpose into the "Power Users" they can do what they need to do.
If I put a Service desk user, or the AD group created for the purpose into a group I defined, using a role I defined, they get access denied.
toaster> useradmin domainuser list -g "Power users"
List of SIDS in Power users
S-1-5-...
toaster> useradmin domainuser list -g isservicedesk
List of SIDS in isservicedesk
S-1-5-...
toaster> cifs lookup S-1-5-...
name = AD\System - NetApp Operators
I have not changed the "Power Users" group
toaster> useradmin group list "Power Users"
Name: Power Users
Info: Members that can share directories
Rid: 547
Roles: power
Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*
toaster> useradmin role list power
Name: power
Info: Default role for power user privileges.
Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*
I have attempted to duplicate it twice, firstly with no NFS related access.
toaster> useradmin group list Service_Desk_Team
Name: Service_Desk_Team
Info: HEAT 01062308 - Oracle Ent Mananger
Rid: 131083
Roles: op_api_cifs
Allowed Capabilities: cli-cifs*,cli-useradmin*,api-cifs-*,login-*,api-system-api-*
toaster> useradmin role list op_api_cifs
Name: op_api_cifs
Info: Service Desk Mananger - HEAT 01062308
Allowed Capabilities: cli-cifs*,cli-useradmin*,api-cifs-*,login-*,api-system-api-*
That didn't work, so I added back in the NFS access, then I made an exact copy of "Power Users" with all new names.
toaster> useradmin group list isservicedesk
Name: isservicedesk
Info: TS Service Desk
Rid: 131084
Roles: issdrole
Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*
toaster> useradmin role list issdrole
Name: issdrole
Info: CustServDesk
Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*
Why then is it that the Power Users group lets them do their work, but the groups I defined don't?
I have other groups to create for other people but there is no point proceeding if I can't understand this.
I practiced this on an old FAS270 DOT 7.3.3P5, I need it to work on an IBM N-6240 (FAS3240) running Data ONTAP Release 8.1.2P4. It has not worked on either.
What am I missing?
Thanks,
Richard Mackerras