Software Development Kit (SDK) and API Discussions

Netapp Powershell - Cannot access share after using Add-NcCifsShareAcl


I am writing a script that creates a share.  When I edit the share ACL, I am no longer able to access the share.  If I make the same change in OnCommand GUI, it works.


Add domain user to ACL:

Add-NcCifsShareAcl -VserverContext $lastsnap_cifs.Vserver -Share $lastsnap_cifs.ShareName -UserOrGroup $user -Permission full_control -UserGroupType windows


It does not matter if the default "Everyone-Full Control" is in the ACL or not.  It appears that the act of adding the new ACL locks out all users.


Any ideas?




Does the output of the CLI command "cifs share access-control show" for the share in question match what's expected before and after the PowerShell commands?  Do you get any errors from Windows or the NetApp?  


A couple of other things to check:


  • Is the volume permissions style correct/expected?
  • Is the export policy configured to allow CIFS permissions?


For reference, this works as expected on my 8.3 test system:


$svm = "svmName"
$aggregate = "bestAggr"
$volumeName = "myShare"
$size = 1gb
$username = "me"

Get-NcVserver $svm | New-NcVol $volumeName -Aggregate $aggregate -JunctionPath "/$($volumeName)" -Size $size -SecurityStyle ntfs
Get-NcVserver $svm | Add-NcCifsShare -Name $volumeName -Path "/$($volumeName)"
Get-NcVserver $svm | Remove-NcCifsShareAcl -Share $volumeName -UserOrGroup Everyone
Get-NcVserver $svm | Add-NcCifsShareAcl -Share $volumeName -UserOrGroup $username -Permission full_control


If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.


I am using a domain user.


I ran the cli command.  Here is the output:


cluster::> cifs share access-control show -vserver vservername -share sharename$
                      Share              User/Group                 User/Group Access
Vserver            Name              Name                        Type           Permission
--------------       -----------         --------------------------- -----------     -----------
vservername     sharename$     DOMAIN\username     windows     Full_Control


When I look in the webgui, the permissions are set correctly.  When I run Test-Path in the context of DOMAIN\username:

PS E:\Scripts> Test-Path \\vservername\sharename$


This means that DOMAIN\username cannot see the share.


If I delete the ACL created by my PS script using the GUI, then add DOMAIN\username in, the Test-Path works.  Looking at the output of the same commands as above it looks the same.



cluster::> cifs share access-control show -vserver vnausfsl01 -share vol_vnausfsl01_GIAHome01_daily$
                      Share              User/Group                User/Group Access
Vserver            Name              Name                       Type           Permission
--------------      -----------         --------------------------- -----------     -----------
vservername     sharename$     DOMAIN\username     windows      Full_Control


PS E:\Scripts> Test-Path \\vservername\sharename$


Now DOMAIN/username can see the share.


Is there some logging I can look at?  I do not understand how it works from the webgui, but not from PS.



I have done some additional testing.


I ran my script, but stoped where I set the ACL.  I then ssh into the cluster and set the permissions using the command line. 

cifs share access-control create -vserver vservername -share \\vservername\sharename$ -user-or-group  DOMAIN\username -user-group-type windows -permission full_Control

Any chagne I make in the command line does not work.

I am going to open a ticket for it not working at the command line.


I have confirmed that I can make the change in the webgui successfully.


Additional information


I created a SVM local user and I have the same problem as my domain user.  I even tried that local user as a VSADMIN.