Software Development Kit (SDK) and API Discussions

Adding domain users via useradmin-domainuser-add error

DWAYNECAMP
8,274 Views

Hi All,

 

All other functions such as volume create/destroy, vfiler create among other administrator api calls work correctly. However when I try to use  useradmin-domainuser-add to add domain users. The SDK returns  Could not add user-identifier, Error: User cannot access group(s) .

 

Has anyone encountered this error before while executing this call with Administrator privileges ?

 

User Perl and SDK 5.0

11 REPLIES 11

rle
NetApp Alumni
8,247 Views

Hi Dwayne,

Please add the pertinent useradmin-domainuser-add code that you are using.

Regards,

   - Rick -

DWAYNECAMP
8,247 Views

Rick

Thanks for the reply.Snippet of code being used to try to add domain users.

{users} {'<domain\username> ' => <group_name> }

my %do_users;

        while ( my ($user, $group) = each(%{$params{users}}) ) {

                my $in = NaElement->new("useradmin-domainuser-add");
                $in->child_add_string("user-identifier",$user);
                my $group = NaElement->new("useradmin-groups");
                $in->child_add($group);

                my $group_info = NaElement->new("useradmin-group-info");
                $group->child_add($group_info);
                $group_info->child_add_string("name",$group);

                 my $out = $z_obj->invoke_elem($in);
                if ($out->results_status() eq "failed") {
                        my $error = $out->results_reason();
                        $do_users{"rc"} = 0;
                        $do_users{"msg"} = $error;
                }

rle
NetApp Alumni
8,247 Views

Hi Dwayne -

I used your code and developed an useradmin-domainuser-add program, at https://communities.netapp.com/people/rle/blog/2012/07/25/ontap-useradmin-domainuser-add.  To obtain a valid list of ONTAP groups, use the useradmin-group-list API.

Regards,

   - Rick -

DWAYNECAMP
8,247 Views

Hi Rick

Thank you for creating the code snippet. However  I still get the same error  'msg' => 'Could not add user-identifier, Error: User cannot access group(s) ' This uses HOST.EQUIV instead of the login method used in your script.

When I use your script. I get this error useradmin-domainuser-add failed with Could not add user-identifier, Error: User does not exist .  How do you specify the domain user.  Should be  domain\user_name correct ?

DWAYNECAMP
8,247 Views

I also observerd that if  you used a variable in place of   "Administrator"   $group_info->child_add_string("name", "Administrators"); meaning  to $group_info->child_add_string("name", $group);  to dynamically pass in a group name it complains 'Could not add user-identifier, Error: Invalid group name '   even though the group is on the filer.

Verified using useradmin-group-list  and ssh on the filer directly.

Could you please investigate. This specific call might have a bug with perl

rle
NetApp Alumni
8,247 Views

Hi Dwayne,

Here is the code:

sub add_domain_user($$$) {

        my $z_obj = shift;

        my $domain_user = shift;

        my $ontap_group = shift;

        # Build the useradmin-domainuser-add request, adding

        # the domain user to the Administrators group.

        my $in = NaElement->new("useradmin-domainuser-add");

        $in->child_add_string("user-identifier", $domain_user);

        my $group = NaElement->new("useradmin-groups");

        $in->child_add($group);

        my $group_info = NaElement->new("useradmin-group-info");

        $group->child_add($group_info);

        $group_info->child_add_string("name", $ontap_group);

        if ($debug > 0) {

                print "Sending:\n" . $in->sprintf() . "\n";

        }

        # Invoke useradmin-domainuser-add

        my $out = $z_obj->invoke_elem($in);

        if ($out->results_status() eq "failed") {

                my $error = $out->results_reason();

                print "useradmin-domainuser-add failed with $error.\n";

                exit 5;

        }

And it worked just fine. Here is the code I called it with:

        add_domain_user($s, $domain_user, "Administrators");

You might consider adding an sprintf() on the input variable before the elem_invoke() call.

I also see that you are using "Administrator", and I'm using "Administrators".  Make sure that you are seeing "Administrator" in useradmin group list command or useradmin-group-list API output.

As you stated above, the domain user is "<domain>\<user>", for example, "EIM\rick".

As for HOST.EQUIV style, I don't see any problem.  I assume that you have other APIs working using this style.  If not, then add to the code a system-get-version invoke.  I do this a lot to verify the connection.

Regards,

   - Rick -

DWAYNECAMP
8,247 Views

Hi Rick,

Thank you for the very informative reply. I have the same code as above i only added the debug line to help identify the error. But i still get Could not add user-identifier, Error: User cannot access group(s). It seems like a a permission problem.


The group name Administrators
The user is DOMAIN\user1
Sending:
<useradmin-domainuser-add>
        <user-identifier>DOMAIN\user1</user-identifier>
        <useradmin-groups>
                <useradmin-group-info>
                        <name>Administrators</name>
                </useradmin-group-info>
        </useradmin-groups>
</useradmin-domainuser-add>

The group name Administrators
The user is DOMAIN\user2
Sending:
<useradmin-domainuser-add>
        <user-identifier>DOMAIN\user2</user-identifier>
        <useradmin-groups>
                <useradmin-group-info>
                        <name>Administrators</name>
                </useradmin-group-info>
        </useradmin-groups>
</useradmin-domainuser-add>

Code used

                 my $in = NaElement->new('useradmin-domainuser-add');
                $in->child_add_string('user-identifier',$user);
                my $group = NaElement->new('useradmin-groups');
                $in->child_add($group);
                my $group_info = NaElement->new('useradmin-group-info');
                $group->child_add($group_info);
                $group_info->child_add_string('name',$domain_group);

                print "Sending:\n" . $in->sprintf() . "\n";


                my $out = $z_obj->invoke_elem($in);
                if ($out->results_status() eq "failed") {
                        my $error = $out->results_reason();
                        $do_users{"rc"} = 0;
                        $do_users{"msg"} = $error;
                }

I have created a wrapper around system_cli until I can figure out the permission problem when using that particular call.

Thank you again for your reply.

BrendonHiggins
8,247 Views

Did you ever resolve this issue?  I am having a similar problem when I try and create user accounts on new vfilers created using the API.  Our code creates a vFiler and then connects to the vfiler using a context switch issued on vfiler0.  I have shown our code to work when the 'root' user account is already on the vfiler.  ie A storage admin has manually added it to the vfiler, via the CLI.  It is then possible to create any other user accounts required.  However, when I remove root user account from the vfiler, we get the error.

Could not add user <anyname>. Error: User cannot access group(s)

My question is, how can I create user accounts on a vfiler without a storage administrator having to manually add the root account to the filer first?

Cheers

Brendon

BrendonHiggins
8,248 Views

My issue was a workflow problem.  Once the vfiler has been created with the vfiler-create API.  The vfiler-setup API must be used to set the root password.  vFiler tunnelling then works even if the vfiler0 and vfiler root passwords are different.

Hope it helps

Bren

rle
NetApp Alumni
6,216 Views

Hi Bren,

I'm glad you found your problem.  Are you stating that to use viler-tunneling, you need to use the filer or vfiler0 password?

   - Rick -

BrendonHiggins
6,216 Views

I have configured my environment with the management system in the same IP subnet as the physical Netapp filer, ie vFiler0.  The vfilers I am creating are all in IPSpaces which are not accessible to the management system via TCP/IP, so we are implementing the vfiler-tunnelling feature.  This solution works well but I was getting the error

Could not add user <anyname>. Error: User cannot access group(s)

when we tried to add local users to the vfilers.  Which looks like the same issue Dwayncamp was reporting as a 'permissions problem'.  My solution is to create the vfiler and then use the vfiler-setup API to configure the root password on the new vfilers.  This works because it also 'adds' the local user root to the vfiler and resolves the problem of not being able to add local users via the API.

NB:  The vfiler-setup api describes the ipbindings as 'optional' but will fail to complete unless they are included, despite the api stating it completed successfully.

Bren

Public