Adding domain users via useradmin-domainuser-add error

Hi Dwayne,

Please add the pertinent useradmin-domainuser-add code that you are using.

Regards,

   - Rick -

Rick

Thanks for the reply.Snippet of code being used to try to add domain users.

{users} {'<domain\username> ' => <group_name> }

my %do_users;

        while ( my ($user, $group) = each(%{$params{users}}) ) {

                my $in = NaElement->new("useradmin-domainuser-add");
                $in->child_add_string("user-identifier",$user);
                my $group = NaElement->new("useradmin-groups");
                $in->child_add($group);

                my $group_info = NaElement->new("useradmin-group-info");
                $group->child_add($group_info);
                $group_info->child_add_string("name",$group);

                 my $out = $z_obj->invoke_elem($in);
                if ($out->results_status() eq "failed") {
                        my $error = $out->results_reason();
                        $do_users{"rc"} = 0;
                        $do_users{"msg"} = $error;
                }

Hi Dwayne -

I used your code and developed an useradmin-domainuser-add program, at https://communities.netapp.com/people/rle/blog/2012/07/25/ontap-useradmin-domainuser-add.  To obtain a valid list of ONTAP groups, use the useradmin-group-list API.

Regards,

   - Rick -

Hi Rick

Thank you for creating the code snippet. However  I still get the same error  'msg' => 'Could not add user-identifier, Error: User cannot access group(s) ' This uses HOST.EQUIV instead of the login method used in your script.

When I use your script. I get this error useradmin-domainuser-add failed with Could not add user-identifier, Error: User does not exist .  How do you specify the domain user.  Should be  domain\user_name correct ?

I also observerd that if  you used a variable in place of   "Administrator"   $group_info->child_add_string("name", "Administrators"); meaning  to $group_info->child_add_string("name", $group);  to dynamically pass in a group name it complains 'Could not add user-identifier, Error: Invalid group name '   even though the group is on the filer.

Verified using useradmin-group-list  and ssh on the filer directly.

Could you please investigate. This specific call might have a bug with perl

Hi Dwayne,

Here is the code:

sub add_domain_user($$$) {

        my $z_obj = shift;

        my $domain_user = shift;

        my $ontap_group = shift;

        # Build the useradmin-domainuser-add request, adding

        # the domain user to the Administrators group.

        my $in = NaElement->new("useradmin-domainuser-add");

        $in->child_add_string("user-identifier", $domain_user);

        my $group = NaElement->new("useradmin-groups");

        $in->child_add($group);

        my $group_info = NaElement->new("useradmin-group-info");

        $group->child_add($group_info);

        $group_info->child_add_string("name", $ontap_group);

        if ($debug > 0) {

                print "Sending:\n" . $in->sprintf() . "\n";

        }

        # Invoke useradmin-domainuser-add

        my $out = $z_obj->invoke_elem($in);

        if ($out->results_status() eq "failed") {

                my $error = $out->results_reason();

                print "useradmin-domainuser-add failed with $error.\n";

                exit 5;

        }

And it worked just fine. Here is the code I called it with:

        add_domain_user($s, $domain_user, "Administrators");

You might consider adding an sprintf() on the input variable before the elem_invoke() call.

I also see that you are using "Administrator", and I'm using "Administrators".  Make sure that you are seeing "Administrator" in useradmin group list command or useradmin-group-list API output.

As you stated above, the domain user is "<domain>\<user>", for example, "EIM\rick".

As for HOST.EQUIV style, I don't see any problem.  I assume that you have other APIs working using this style.  If not, then add to the code a system-get-version invoke.  I do this a lot to verify the connection.

Regards,

   - Rick -

Hi Rick,

Thank you for the very informative reply. I have the same code as above i only added the debug line to help identify the error. But i still get Could not add user-identifier, Error: User cannot access group(s). It seems like a a permission problem.

The group name Administrators
The user is DOMAIN\user1
Sending:
<useradmin-domainuser-add>
        <user-identifier>DOMAIN\user1</user-identifier>
        <useradmin-groups>
                <useradmin-group-info>
                        <name>Administrators</name>
                </useradmin-group-info>
        </useradmin-groups>
</useradmin-domainuser-add>

The group name Administrators
The user is DOMAIN\user2
Sending:
<useradmin-domainuser-add>
        <user-identifier>DOMAIN\user2</user-identifier>
        <useradmin-groups>
                <useradmin-group-info>
                        <name>Administrators</name>
                </useradmin-group-info>
        </useradmin-groups>
</useradmin-domainuser-add>

Code used

                 my $in = NaElement->new('useradmin-domainuser-add');
                $in->child_add_string('user-identifier',$user);
                my $group = NaElement->new('useradmin-groups');
                $in->child_add($group);
                my $group_info = NaElement->new('useradmin-group-info');
                $group->child_add($group_info);
                $group_info->child_add_string('name',$domain_group);

                print "Sending:\n" . $in->sprintf() . "\n";

                my $out = $z_obj->invoke_elem($in);
                if ($out->results_status() eq "failed") {
                        my $error = $out->results_reason();
                        $do_users{"rc"} = 0;
                        $do_users{"msg"} = $error;
                }

I have created a wrapper around system_cli until I can figure out the permission problem when using that particular call.

Thank you again for your reply.

Did you ever resolve this issue?  I am having a similar problem when I try and create user accounts on new vfilers created using the API.  Our code creates a vFiler and then connects to the vfiler using a context switch issued on vfiler0.  I have shown our code to work when the 'root' user account is already on the vfiler.  ie A storage admin has manually added it to the vfiler, via the CLI.  It is then possible to create any other user accounts required.  However, when I remove root user account from the vfiler, we get the error.

Could not add user <anyname>. Error: User cannot access group(s)

My question is, how can I create user accounts on a vfiler without a storage administrator having to manually add the root account to the filer first?

Cheers

Brendon

My issue was a workflow problem.  Once the vfiler has been created with the vfiler-create API.  The vfiler-setup API must be used to set the root password.  vFiler tunnelling then works even if the vfiler0 and vfiler root passwords are different.

Hope it helps

Bren