Software Development Kit (SDK) and API Discussions

Netapp Powershell - Cannot access share after using Add-NcCifsShareAcl

ChipLGIMA
4,021 Views

I am writing a script that creates a share.  When I edit the share ACL, I am no longer able to access the share.  If I make the same change in OnCommand GUI, it works.

 

Add domain user to ACL:

Add-NcCifsShareAcl -VserverContext $lastsnap_cifs.Vserver -Share $lastsnap_cifs.ShareName -UserOrGroup $user -Permission full_control -UserGroupType windows

 

It does not matter if the default "Everyone-Full Control" is in the ACL or not.  It appears that the act of adding the new ACL locks out all users.

 

Any ideas?

 

4 REPLIES 4

asulliva
3,955 Views

Does the output of the CLI command "cifs share access-control show" for the share in question match what's expected before and after the PowerShell commands?  Do you get any errors from Windows or the NetApp?  

 

A couple of other things to check:

 

  • Is the volume permissions style correct/expected?
  • Is the export policy configured to allow CIFS permissions?

 

For reference, this works as expected on my 8.3 test system:

 

$svm = "svmName"
$aggregate = "bestAggr"
$volumeName = "myShare"
$size = 1gb
$username = "me"

Get-NcVserver $svm | New-NcVol $volumeName -Aggregate $aggregate -JunctionPath "/$($volumeName)" -Size $size -SecurityStyle ntfs
Get-NcVserver $svm | Add-NcCifsShare -Name $volumeName -Path "/$($volumeName)"
Get-NcVserver $svm | Remove-NcCifsShareAcl -Share $volumeName -UserOrGroup Everyone
Get-NcVserver $svm | Add-NcCifsShareAcl -Share $volumeName -UserOrGroup $username -Permission full_control

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

ChipLGIMA
3,935 Views

I am using a domain user.

 

I ran the cli command.  Here is the output:

 

cluster::> cifs share access-control show -vserver vservername -share sharename$
                      Share              User/Group                 User/Group Access
Vserver            Name              Name                        Type           Permission
--------------       -----------         --------------------------- -----------     -----------
vservername     sharename$     DOMAIN\username     windows     Full_Control

 

When I look in the webgui, the permissions are set correctly.  When I run Test-Path in the context of DOMAIN\username:

PS E:\Scripts> Test-Path \\vservername\sharename$
False

 

This means that DOMAIN\username cannot see the share.

 

If I delete the ACL created by my PS script using the GUI, then add DOMAIN\username in, the Test-Path works.  Looking at the output of the same commands as above it looks the same.

 

 

cluster::> cifs share access-control show -vserver vnausfsl01 -share vol_vnausfsl01_GIAHome01_daily$
                      Share              User/Group                User/Group Access
Vserver            Name              Name                       Type           Permission
--------------      -----------         --------------------------- -----------     -----------
vservername     sharename$     DOMAIN\username     windows      Full_Control

 

PS E:\Scripts> Test-Path \\vservername\sharename$
True

 

Now DOMAIN/username can see the share.

 

Is there some logging I can look at?  I do not understand how it works from the webgui, but not from PS.

 

ChipLGIMA
3,893 Views

I have done some additional testing.

 

I ran my script, but stoped where I set the ACL.  I then ssh into the cluster and set the permissions using the command line. 

cifs share access-control create -vserver vservername -share \\vservername\sharename$ -user-or-group  DOMAIN\username -user-group-type windows -permission full_Control

Any chagne I make in the command line does not work.

I am going to open a ticket for it not working at the command line.

 

I have confirmed that I can make the change in the webgui successfully.

ChipLGIMA
3,856 Views

Additional information

 

I created a SVM local user and I have the same problem as my domain user.  I even tried that local user as a VSADMIN.

 

Public