Re: Netapp Powershell - Cannot access share after using Add-NcCifsShareAcl

ChipLGIMA · ‎2016-03-16

I am writing a script that creates a share. When I edit the share ACL, I am no longer able to access the share. If I make the same change in OnCommand GUI, it works.

Add domain user to ACL:

Add-NcCifsShareAcl -VserverContext $lastsnap_cifs.Vserver -Share $lastsnap_cifs.ShareName -UserOrGroup $user -Permission full_control -UserGroupType windows

It does not matter if the default "Everyone-Full Control" is in the ACL or not. It appears that the act of adding the new ACL locks out all users.

Any ideas?

asulliva · ‎2016-03-21

Does the output of the CLI command "cifs share access-control show" for the share in question match what's expected before and after the PowerShell commands? Do you get any errors from Windows or the NetApp?

A couple of other things to check:

Is the volume permissions style correct/expected?
Is the export policy configured to allow CIFS permissions?

For reference, this works as expected on my 8.3 test system:

$svm = "svmName"
$aggregate = "bestAggr"
$volumeName = "myShare"
$size = 1gb
$username = "me"

Get-NcVserver $svm | New-NcVol $volumeName -Aggregate $aggregate -JunctionPath "/$($volumeName)" -Size $size -SecurityStyle ntfs
Get-NcVserver $svm | Add-NcCifsShare -Name $volumeName -Path "/$($volumeName)"
Get-NcVserver $svm | Remove-NcCifsShareAcl -Share $volumeName -UserOrGroup Everyone
Get-NcVserver $svm | Add-NcCifsShareAcl -Share $volumeName -UserOrGroup $username -Permission full_control

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

ChipLGIMA · ‎2016-03-23

I am using a domain user.

I ran the cli command. Here is the output:

cluster::> cifs share access-control show -vserver vservername -share sharename$
                      Share              User/Group                 User/Group Access
Vserver            Name              Name                        Type           Permission
--------------       -----------         --------------------------- -----------     -----------
vservername     sharename$     DOMAIN\username     windows     Full_Control

When I look in the webgui, the permissions are set correctly. When I run Test-Path in the context of DOMAIN\username:

PS E:\Scripts> Test-Path \\vservername\sharename$
False

This means that DOMAIN\username cannot see the share.

If I delete the ACL created by my PS script using the GUI, then add DOMAIN\username in, the Test-Path works. Looking at the output of the same commands as above it looks the same.

cluster::> cifs share access-control show -vserver vnausfsl01 -share vol_vnausfsl01_GIAHome01_daily$
                      Share              User/Group                User/Group Access
Vserver            Name              Name                       Type           Permission
--------------      -----------         --------------------------- -----------     -----------
vservername    sharename$     DOMAIN\username     windows      Full_Control

PS E:\Scripts> Test-Path \\vservername\sharename$
True

Now DOMAIN/username can see the share.

Is there some logging I can look at? I do not understand how it works from the webgui, but not from PS.

ChipLGIMA · ‎2016-03-24

I have done some additional testing.

I ran my script, but stoped where I set the ACL. I then ssh into the cluster and set the permissions using the command line.

cifs share access-control create -vserver vservername -share \\vservername\sharename$ -user-or-group DOMAIN\username -user-group-type windows -permission full_Control

Any chagne I make in the command line does not work.

I am going to open a ticket for it not working at the command line.

I have confirmed that I can make the change in the webgui successfully.

ChipLGIMA · ‎2016-03-28

Additional information

I created a SVM local user and I have the same problem as my domain user. I even tried that local user as a VSADMIN.