Rick

Thanks for the reply.Snippet of code being used to try to add domain users.

{users} {'<domain\username> ' => <group_name> }

my %do_users;

        while ( my ($user, $group) = each(%{$params{users}}) ) {

                my $in = NaElement->new("useradmin-domainuser-add");
                $in->child_add_string("user-identifier",$user);
                my $group = NaElement->new("useradmin-groups");
                $in->child_add($group);

                my $group_info = NaElement->new("useradmin-group-info");
                $group->child_add($group_info);
                $group_info->child_add_string("name",$group);

                 my $out = $z_obj->invoke_elem($in);
                if ($out->results_status() eq "failed") {
                        my $error = $out->results_reason();
                        $do_users{"rc"} = 0;
                        $do_users{"msg"} = $error;
                }

Hi Dwayne -

I used your code and developed an useradmin-domainuser-add program, at https://communities.netapp.com/people/rle/blog/2012/07/25/ontap-useradmin-domainuser-add.  To obtain a valid list of ONTAP groups, use the useradmin-group-list API.

Regards,

   - Rick -

Hi Rick

Thank you for creating the code snippet. However  I still get the same error  'msg' => 'Could not add user-identifier, Error: User cannot access group(s) ' This uses HOST.EQUIV instead of the login method used in your script.

When I use your script. I get this error useradmin-domainuser-add failed with Could not add user-identifier, Error: User does not exist .  How do you specify the domain user.  Should be  domain\user_name correct ?

I also observerd that if  you used a variable in place of   "Administrator"   $group_info->child_add_string("name", "Administrators"); meaning  to $group_info->child_add_string("name", $group);  to dynamically pass in a group name it complains 'Could not add user-identifier, Error: Invalid group name '   even though the group is on the filer.

Verified using useradmin-group-list  and ssh on the filer directly.

Could you please investigate. This specific call might have a bug with perl

Hi Dwayne,

Here is the code:

sub add_domain_user($$$) {

        my $z_obj = shift;

        my $domain_user = shift;

        my $ontap_group = shift;

        # Build the useradmin-domainuser-add request, adding

        # the domain user to the Administrators group.

        my $in = NaElement->new("useradmin-domainuser-add");

        $in->child_add_string("user-identifier", $domain_user);

        my $group = NaElement->new("useradmin-groups");

        $in->child_add($group);

        my $group_info = NaElement->new("useradmin-group-info");

        $group->child_add($group_info);

        $group_info->child_add_string("name", $ontap_group);

        if ($debug > 0) {

                print "Sending:\n" . $in->sprintf() . "\n";

        }

        # Invoke useradmin-domainuser-add

        my $out = $z_obj->invoke_elem($in);

        if ($out->results_status() eq "failed") {

                my $error = $out->results_reason();

                print "useradmin-domainuser-add failed with $error.\n";

                exit 5;

        }

And it worked just fine. Here is the code I called it with:

        add_domain_user($s, $domain_user, "Administrators");

You might consider adding an sprintf() on the input variable before the elem_invoke() call.

I also see that you are using "Administrator", and I'm using "Administrators".  Make sure that you are seeing "Administrator" in useradmin group list command or useradmin-group-list API output.

As you stated above, the domain user is "<domain>\<user>", for example, "EIM\rick".

As for HOST.EQUIV style, I don't see any problem.  I assume that you have other APIs working using this style.  If not, then add to the code a system-get-version invoke.  I do this a lot to verify the connection.

Regards,

   - Rick -

Hi Rick,

Thank you for the very informative reply. I have the same code as above i only added the debug line to help identify the error. But i still get Could not add user-identifier, Error: User cannot access group(s). It seems like a a permission problem.

The group name Administrators
The user is DOMAIN\user1
Sending:
<useradmin-domainuser-add>
        <user-identifier>DOMAIN\user1</user-identifier>
        <useradmin-groups>
                <useradmin-group-info>
                        <name>Administrators</name>
                </useradmin-group-info>
        </useradmin-groups>
</useradmin-domainuser-add>

The group name Administrators
The user is DOMAIN\user2
Sending:
<useradmin-domainuser-add>
        <user-identifier>DOMAIN\user2</user-identifier>
        <useradmin-groups>
                <useradmin-group-info>
                        <name>Administrators</name>
                </useradmin-group-info>
        </useradmin-groups>
</useradmin-domainuser-add>

Code used

                 my $in = NaElement->new('useradmin-domainuser-add');
                $in->child_add_string('user-identifier',$user);
                my $group = NaElement->new('useradmin-groups');
                $in->child_add($group);
                my $group_info = NaElement->new('useradmin-group-info');
                $group->child_add($group_info);
                $group_info->child_add_string('name',$domain_group);

                print "Sending:\n" . $in->sprintf() . "\n";

                my $out = $z_obj->invoke_elem($in);
                if ($out->results_status() eq "failed") {
                        my $error = $out->results_reason();
                        $do_users{"rc"} = 0;
                        $do_users{"msg"} = $error;
                }

I have created a wrapper around system_cli until I can figure out the permission problem when using that particular call.

Thank you again for your reply.

Did you ever resolve this issue?  I am having a similar problem when I try and create user accounts on new vfilers created using the API.  Our code creates a vFiler and then connects to the vfiler using a context switch issued on vfiler0.  I have shown our code to work when the 'root' user account is already on the vfiler.  ie A storage admin has manually added it to the vfiler, via the CLI.  It is then possible to create any other user accounts required.  However, when I remove root user account from the vfiler, we get the error.

Could not add user <anyname>. Error: User cannot access group(s)

My question is, how can I create user accounts on a vfiler without a storage administrator having to manually add the root account to the filer first?

Cheers

Brendon

My issue was a workflow problem.  Once the vfiler has been created with the vfiler-create API.  The vfiler-setup API must be used to set the root password.  vFiler tunnelling then works even if the vfiler0 and vfiler root passwords are different.

Hope it helps

Bren

Hi Bren,

I'm glad you found your problem.  Are you stating that to use viler-tunneling, you need to use the filer or vfiler0 password?

   - Rick -

I have configured my environment with the management system in the same IP subnet as the physical Netapp filer, ie vFiler0.  The vfilers I am creating are all in IPSpaces which are not accessible to the management system via TCP/IP, so we are implementing the vfiler-tunnelling feature.  This solution works well but I was getting the error

Could not add user <anyname>. Error: User cannot access group(s)

when we tried to add local users to the vfilers.  Which looks like the same issue Dwayncamp was reporting as a 'permissions problem'.  My solution is to create the vfiler and then use the vfiler-setup API to configure the root password on the new vfilers.  This works because it also 'adds' the local user root to the vfiler and resolves the problem of not being able to add local users via the API.

NB:  The vfiler-setup api describes the ipbindings as 'optional' but will fail to complete unless they are included, despite the api stating it completed successfully.

Bren