4 Replies Latest reply: Aug 8, 2013 6:14 AM by cscott RSS

cifs permissions in a vfiler

cscott
Currently Being Moderated

Hello,

     In trying to build a script to capture CIFS permissions, I am getting the following error:

Get-NaCifsShareAcl : Unable to find API : cifs-share-acl-list-iter-start for vfiler  VFILER_NAME

 

Is it possible to pull the ACL list for a share from a vfiler?  This works from the physical frame without issue and I can enumerate the shares themselves without issue, it is just the ACL that is not working.

 

I have attached a copy of the script, which is just a start, no error checking, formatting is not proper, etc.  What I need is to build an output of:

 

physical frame name / vfiler name

share name

Username     AccessRights

group1          full control

group2          read

 

I know that the file system permissions are more significant, however we are responsible for providing the share permisssions, the Windows admins are responsible after that.

 

I have tested from my laptop using Windows 7 and a Windows server 2008r2 system, both running version 2.1.0.205 of the toolkit, the ONTAP version is 8.1.2p4

 

-Scott

  • Re: cifs permissions in a vfiler
    madden
    Currently Being Moderated

    Hi Scott,

     

    This underlying API used by the cmdlet "cifs-share-acl-list-iter-start" does not appear to be implemented in the vfiler context.  The next best option is probably to use invoke-nassh to run cifs shares in the vfiler context and parsethat CLI output.  Not ideal, but at least a way forward.

     

    Cheers,

    Chris

     

    Message was edited by: ChristopherAustin Madden UPDATE: A colleague has done exactly what I mentioned above and will post the powershell code later today.

  • Re: cifs permissions in a vfiler
    mirko
    Currently Being Moderated

    Hi Scott,

     

    I've created a CLI parser a few days ago.

    I needed to rename a qtree and recreate a corresponding cifs share & NFS exports.

    I bumped into this burt and wrote this CLI parser.  It still needs some testing, but it comes pretty close.

     

     

    # container for the ACL result

    $global:aclList = @()

     

    ##################################################################

    # THIS Function IS PURELY FOR A BURT IN DATAONTAP 8.0 and 8.1

    # It is fixed in 8.2

    # The API calls fail for the cmdlet Get-NaCifsShareAcl within vfiler context

    # This way we detect the version and use a CLI parser instead

    # Creation : mirko@netap.com

    ##################################################################

     

    # This function parses the output of CLI "vfiler run cifs shares"

    function parseCifsSharesOutput($output){

     

        # get the list of the shares (this command is not affected by the burt)

        $shares = Get-NaCifsShare

     

        $acls = @()

        $tempshare = ""

        $shareObj = New-Object DataONTAP.Types.Cifs.AccessRightsInfo

     

        # parse the lines

        $lines = $output -split "`n"

        foreach($line in $lines){

            # if were are past the "----" lines, we can can start parsing

            if($infostarted){

                # it the line is start with a "tab", it's an acl

                if($line.StartsWith("`t")){

                    # ACL found

                    $line = $line.Trim()

                    $acl = $line.Split("/")

                    if($acl.Count -eq 2){

                        $newacl = New-Object DataONTAP.Types.Cifs.AccessRightsInfo

                        $newacl.UserName = $acl[0].Trim()

                        $newacl.AccessRights = $acl[1].Trim()

                        $acls[$acls.Length-1].UserAclInfo += $newacl

                    }

                # if the line does not start with "tab", it is a new share entry

                }else{

                    # new share found

                    $line = $line.Trim()

                    # ignore blank lines (normally at the end)

                    if($line -ne ""){

                        $share = $line -split "\s+/"

                        $tempshare = $shares | where{$_.ShareName -eq $share[0].Trim()}

                        if($tempshare){

                            $shareObj = New-Object DataONTAP.Types.Cifs.CifsShareAclInfo

                            $shareObj.ShareName = $tempshare.ShareName

                            $acls += $shareObj

                        }

                    }

                }

            }

     

            # we ignore all lines until we come accross "----"

            if($line.StartsWith("----")){

                $infostarted = $true

            }

        }

     

        # we must use a global variabel to get this out of the function scope

        $global:aclList = $acls

    }

     

    # this is a replacement for get-nacifsshareacl

    function getNaCifsShareAcl($vfiler){

     

        # Get the version

        $version = Get-NaSystemVersion

        if ($version.Contains("8.0") -or $version.Contains("8.1"))

        {

            $useCli = $true

        }

        else

        {

            $useCli = $false

        }   

     

        if($useCli){

     

            # because of the burt, we get the ACL info through CLI instead

            $command = "vfiler run $vfiler cifs shares"

            Invoke-NaSsh -Command $command -WarningVariable warningMsg -OutVariable outMsg -ErrorVariable errorMsg 2>&1 | Out-Null

            # if the command was errorless

            if(-not $warningMsg -and -not $errorMsg){

                parseCifsSharesOutput $outMsg

            }else{

                Throw "Warning : $warningMsg`nError : $errorMsg"

            }

        }else{

            $global:aclList = Get-NaCifsShareAcl

        }

     

        $global:aclList | ft

    }

More Like This

  • Retrieving data ...