2 Replies Latest reply: Oct 17, 2013 6:41 AM by richard_mackerras RSS

useradmin role and group will not work

richard_mackerras Novice
Currently Being Moderated

Hi,

 

Our Service Desk want access to the filer to close open files. This seems to be a problem at shift changes where a file remains locked which another user needs to edit. The preferred access tool is "Computer Management" (or alternatively Hyena).

 

If I put a Service desk user, or the AD group created for the purpose into the "Power Users"  they can do what they need to do.

If I put a Service desk user, or the AD group created for the purpose into a group I defined, using a role I defined, they get access denied.

 

toaster> useradmin domainuser list  -g  "Power users"

List of SIDS in Power users

S-1-5-...

toaster> useradmin domainuser list  -g  isservicedesk

List of SIDS in isservicedesk

S-1-5-...

toaster> cifs lookup S-1-5-...

name = AD\System - NetApp Operators

 

I have not changed the "Power Users" group

 

toaster> useradmin group list "Power Users"

Name: Power Users

Info: Members that can share directories

Rid: 547

Roles: power

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*

 

toaster> useradmin role list power

Name:    power

Info:    Default role for power user privileges.

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*

 

I have attempted to duplicate it twice, firstly with no NFS related access.

 

toaster> useradmin group list Service_Desk_Team

Name: Service_Desk_Team

Info: HEAT 01062308 - Oracle Ent Mananger

Rid: 131083

Roles: op_api_cifs

Allowed Capabilities: cli-cifs*,cli-useradmin*,api-cifs-*,login-*,api-system-api-*

 

toaster> useradmin role list op_api_cifs

Name:    op_api_cifs

Info:    Service Desk Mananger - HEAT 01062308

Allowed Capabilities: cli-cifs*,cli-useradmin*,api-cifs-*,login-*,api-system-api-*

 

That didn't work, so I added back in the NFS access, then I made an exact copy of "Power Users" with all new names.

 

toaster> useradmin group list isservicedesk

Name: isservicedesk

Info: TS Service Desk

Rid: 131084

Roles: issdrole

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*

 

toaster> useradmin role list issdrole

Name:    issdrole

Info:    CustServDesk

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*

 

Why then is it that the Power Users group lets them do their work, but the groups I defined don't?

I have other groups to create for other people but there is no point proceeding if I can't understand this.

 

I practiced this on an old FAS270 DOT 7.3.3P5, I need it to work on an IBM N-6240 (FAS3240) running Data ONTAP Release 8.1.2P4. It has not worked on either.

What am I missing?

 

Thanks,

 

Richard Mackerras

  • Re: useradmin role and group will not work
    LMEIRELES CertifiedPlus Novice
    Currently Being Moderated

    Hi Richard,

     

    I have the same problem.

    Check this response from Netapp engineering:

     

    Members of the custom users group doesn't have access to session management through MMC

    http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=748112

     

    TITLE:

    Members of the custom users group doesn't have access to session management through MMC

     

    DESCRIPTION:

    The users can manage the sessions through MMC, only if they belong to Administrators or "Power Users" group.  The other custom group members can't manage this, even though the group they belong to has the roles of

    "admin" and/or "power".  This occurs because the access check for session management through MMC is based on the RID that is assigned to the group and not theroles of the group.

     

    WORKAROUND:

    No workaround exists this feature is by the design

     

    Thanks,

     

    Luis Meireles

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points