Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Netapp Powershell - Cannot access share after using Add-NcCifsShareAcl
2016-03-16
01:41 PM
4,031 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am writing a script that creates a share. When I edit the share ACL, I am no longer able to access the share. If I make the same change in OnCommand GUI, it works.
Add domain user to ACL:
Add-NcCifsShareAcl -VserverContext $lastsnap_cifs.Vserver -Share $lastsnap_cifs.ShareName -UserOrGroup $user -Permission full_control -UserGroupType windows
It does not matter if the default "Everyone-Full Control" is in the ACL or not. It appears that the act of adding the new ACL locks out all users.
Any ideas?
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the output of the CLI command "cifs share access-control show" for the share in question match what's expected before and after the PowerShell commands? Do you get any errors from Windows or the NetApp?
A couple of other things to check:
- Is the volume permissions style correct/expected?
- Is the export policy configured to allow CIFS permissions?
For reference, this works as expected on my 8.3 test system:
$svm = "svmName" $aggregate = "bestAggr" $volumeName = "myShare" $size = 1gb $username = "me" Get-NcVserver $svm | New-NcVol $volumeName -Aggregate $aggregate -JunctionPath "/$($volumeName)" -Size $size -SecurityStyle ntfs Get-NcVserver $svm | Add-NcCifsShare -Name $volumeName -Path "/$($volumeName)" Get-NcVserver $svm | Remove-NcCifsShareAcl -Share $volumeName -UserOrGroup Everyone Get-NcVserver $svm | Add-NcCifsShareAcl -Share $volumeName -UserOrGroup $username -Permission full_control
Andrew
If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using a domain user.
I ran the cli command. Here is the output:
cluster::> cifs share access-control show -vserver vservername -share sharename$
Share User/Group User/Group Access
Vserver Name Name Type Permission
-------------- ----------- --------------------------- ----------- -----------
vservername sharename$ DOMAIN\username windows Full_Control
When I look in the webgui, the permissions are set correctly. When I run Test-Path in the context of DOMAIN\username:
PS E:\Scripts> Test-Path \\vservername\sharename$
False
This means that DOMAIN\username cannot see the share.
If I delete the ACL created by my PS script using the GUI, then add DOMAIN\username in, the Test-Path works. Looking at the output of the same commands as above it looks the same.
cluster::> cifs share access-control show -vserver vnausfsl01 -share vol_vnausfsl01_GIAHome01_daily$
Share User/Group User/Group Access
Vserver Name Name Type Permission
-------------- ----------- --------------------------- ----------- -----------
vservername sharename$ DOMAIN\username windows Full_Control
PS E:\Scripts> Test-Path \\vservername\sharename$
True
Now DOMAIN/username can see the share.
Is there some logging I can look at? I do not understand how it works from the webgui, but not from PS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have done some additional testing.
I ran my script, but stoped where I set the ACL. I then ssh into the cluster and set the permissions using the command line.
cifs share access-control create -vserver vservername -share \\vservername\sharename$ -user-or-group DOMAIN\username -user-group-type windows -permission full_Control
Any chagne I make in the command line does not work.
I am going to open a ticket for it not working at the command line.
I have confirmed that I can make the change in the webgui successfully.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Additional information
I created a SVM local user and I have the same problem as my domain user. I even tried that local user as a VSADMIN.