Quantcast
Channel: All ONTAP Discussions posts
Viewing all 19252 articles
Browse latest View live

Re: Netapp CIFS share not accessible by domain users whereas accessible by domain admins

November 7, 2016, 6:55 pm
$
0
0

Hi,

 

You haven't provided enough information to help identify the cause of the issue for troubleshooting. Can you please share the results of the following commands?

 

 

cluster1::> vserver cifs share show -vserver vserver1 -share-name volume1$ -fields acl
vserver  share-name  acl
-------- ----------- -----------------------------------------------------------
vserver1 volume1$ "BUILTIN\Administrators / Full Control","Everyone / Change"

cluster1::> qtree show -vserver vserver1
Vserver    Volume        Qtree        Style        Oplocks   Status
---------- ------------- ------------ ------------ --------- --------
vserver1   volume1    ""           ntfs         enable    normal
vserver1   volume1    qtree1    ntfs         enable    normal

cluster1::> local-group show-members -vserver vserver1 -group-name "BUILTIN\Administrators"

Vserver        Group Name                   Members
-------------- ---------------------------- ------------------------
vserver1       BUILTIN\Administrators       VSERVER1\Administrator
                                            CONTOSO\Vserver Admins

C:\>icacls \\vserver1\volume1$
\\vserver1\volume1$ BUILTIN\Administrators:(OI)(CI)(F)
\\vserver1\volume1$ CONTOSO\Data Admins:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

 

 

Note: The default AD group "Domain Admins" should not be used to managed access to data on your CIFS vservers. See the following

 

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory

 

"Domain Admins are, by default, members of the local Administrators groups on all member servers and workstations in their respective domains"

 

When you perform a CIFS setup on a vserver it becomes a "member server" within the domain which you join it to and by default the domain admins group are automatically added as members of the local administrators group on the vserver. Just because this is the default setting, it does NOT mean you should leave it that way. For example, the default permissions when you create an NTFS volume are "Everyone\Full Control". This is to ensure you have access to connect to the volume in order to secure the NTFS permissions and delegate administrative access to your data (during that process you should remove remove "Everyone\Full Control" and delegate administrative access to your data to an AD group)

 

So once you have joined the domain I recommend you delegate administrative access to your vservers, EG create a "Vserver Admins" AD group explicilty for the purpose of delegating administrative control of your vservers and add that group to the local Administrators group on your vservers then remove the "Domain Admins" group. EG:

 

 

cluster1::> local-group add-members -vserver vserver1 -group-name "BUILTIN\Administrators" -member-names "CONTOSO\Vserver Admins"

cluster1::> local-group remove-members -vserver vserver1 -group-name "BUILTIN\Administrators" -member-names "CONTOSO\Domain Admins"

The "Domain Admins" group is for Active Directory administration, it should NOT be used for data administration.

 

 

/Matt

Search

Re: 7MTT -- Migrate to NVE volume in cDOT 9.1

November 8, 2016, 12:04 am
$
0
0

this is too new, probably case will be a good idea

Re: report ksh

November 8, 2016, 7:35 am
$
0
0

You would need to have a user account on the cluster with ssh access and a public ssh key added to the cluster to avoid having to provide the password every time.

See the man page for "security login publickey" for more details.

 

To get the information you want, just run a command like:

 

ssh <clustername> volume show -volume <volumename> -fields policy, used, total

 

and parse the output.

 

Hope this helps.

Re: report ksh

November 8, 2016, 1:45 pm

NetApp FAS2552 Aggregate and Disk

November 9, 2016, 12:48 am
$
0
0

I have a FAS2552 having 2 shelf with:-

1)  Shelf 0 having 4 x SSD + 20 x SAS 10kRPM 1TB Disk

2)  Shelf 1 having 12 x SAS 10k RPM 1 TB Disk

 

Our Vendor has configured aggregates for us, however, I notice the following:-

1) What is the difference between Disk Container Type of Aggregate and Shared??

2) I find that some disks belong to 2 aggregates, is it ok and what is the reason behind??

3) Is it ok to have a disk belong to 3 aggregates???

4) I notice that one disk is not spare and is not assigned to any aggregate but is Container Type Shared, is it normal???

 

Re: NetApp FAS2552 Aggregate and Disk

November 9, 2016, 1:09 am
$
0
0

ADP (advanced disk partitioning) is a key for Your search.


In short, begining from cDOT 8.3 NetApp offers for small (25xx) and all-flash systems new capability - advanced disk partitioning: the root aggregate uses one part of disks that installed in head shelf, the other (data) aggregates use another. When disk is partitioned, it is included into two (and only two! no more) aggregates (container type - SHARED). If disk isn't partitioned (not head shelf's disks in this case), it is included only in one aggregate (container type - AGGREGATE). When ADP is in use the all disks in head shelf are SHARED any time.

Re: NetApp FAS2552 Aggregate and Disk

November 9, 2016, 1:14 am
$
0
0

1. Shared is partitioned disk. Look in documentation for ADP (Advanced Disk Partition). In summary - disk is divided in two partitions and each partition can be used independently as part of aggregate (or pool, but that's another story).

 

2. Yes, each partition can be part of separate aggregate.

 

3. Not really. For SSD disks in FlashPool you can split disks in 4 partitions, but they are added to disk pools, not disk aggregates.

 

4. Yes. Disk should be automatically partitioned as needed when used for disk replacement.

Re: NetApp FAS2552 Aggregate and Disk

November 9, 2016, 1:31 am
$
0
0

Thanks, could you elaborate more detail for disk replacement.

 

I find that my Shelf 0 Disk 23 of Container Type Shared has NOT been assigned to any Aggregate and is NOT a spare.

 

Does it mean that the Vendor has missed to placing this disk into an Aggregate or is this disk been left for Disk Replacement purpose?

 

I thought only a Spare Disk can be designated for Disk Replacement.

 

 

Search

Re: NetApp FAS2552 Aggregate and Disk

November 9, 2016, 1:38 am
$
0
0

Paste output of "storage aggregate show-spare-disks"

Re: NetApp FAS2552 Aggregate and Disk

November 9, 2016, 1:57 am
$
0
0

Output is as follow:-

 

What's the difference between Spare Pool and Paritioned Spares???

 

Also, I find that the below 1.0.22, a Partitioned Spare, already has a Data Aggregate assigned to it, so how can it possibly be a Spare?????

 

WTTPLFR02::> storage aggregate show-spare-disks

Original Owner: WTTPLFR02-C01
Pool0
Spare Pool

Usable Physical
Disk Type RPM Checksum Size Size Status
--------------------------- ----- ------ -------------- -------- -------- --------
1.0.3 SSD - block 745.0GB 745.2GB zeroed

Original Owner: WTTPLFR02-C01
Pool0
Partitioned Spares
Local Local
Data Root Physical
Disk Type RPM Checksum Usable Usable Size Status
--------------------------- ----- ------ -------------- -------- -------- -------- --------
1.0.23 SAS 10000 block 1.03TB 61.58GB 1.09TB zeroed

Original Owner: WTTPLFR02-C02
Pool0
Spare Pool

Press <space> to page down, <return> for next line, or 'q' to quit...

WTTPLFR02::> storage aggregate show-spare-disks

Original Owner: WTTPLFR02-C01
Pool0
Spare Pool

Usable Physical
Disk Type RPM Checksum Size Size Status
--------------------------- ----- ------ -------------- -------- -------- --------
1.0.3 SSD - block 745.0GB 745.2GB zeroed

Original Owner: WTTPLFR02-C01
Pool0
Partitioned Spares
Local Local
Data Root Physical
Disk Type RPM Checksum Usable Usable Size Status
--------------------------- ----- ------ -------------- -------- -------- -------- --------
1.0.23 SAS 10000 block 1.03TB 61.58GB 1.09TB zeroed

Original Owner: WTTPLFR02-C02
Pool0
Spare Pool

Usable Physical
Disk Type RPM Checksum Size Size Status
--------------------------- ----- ------ -------------- -------- -------- --------
1.1.11 SAS 10000 block 1.09TB 1.09TB zeroed

Original Owner: WTTPLFR02-C02
Pool0
Partitioned Spares
Local Local
Data Root Physical
Disk Type RPM Checksum Usable Usable Size Status
--------------------------- ----- ------ -------------- -------- -------- -------- --------
1.0.22 SAS 10000 block 0B 61.58GB 1.09TB zeroed
4 entries were displayed.

WTTPLFR02::>

Re: NetApp FAS2552 Aggregate and Disk

November 9, 2016, 2:00 am
$
0
0

So 1.0.23 is used as spare for both root and data partitions. 1.0.22 has one spare partition (root). Both partitions are independent, so one can be used as part of aggregate and another can be used as spare.

 

Did you try to read documentation about ADP and disk pools and do you have specific question about documentation content?

Re: report ksh

November 9, 2016, 2:59 am
$
0
0

HI 

I would like to have @IP client match (from export policy) for each volume with used and total capacity on one command line

it is possible ?

Re: report ksh

November 9, 2016, 3:27 am
$
0
0

I don't believe it is.

You can use the 'volume show ...' command to get the name of the export policy applied to the volume.

However, in order to get details of the rules in the policy, you need to use the 'vserver export-policy rule show ...' command.

It shouldn't be too difficult to script this if you have password-less access to the cluster sorted out.

 

Regards.

Unble to create home directory shares with Powershell - Standard shares must define an absolute

November 9, 2016, 7:25 am
$
0
0

NetApp support directed me here to pose my question.  If this is not the correct spot to ask please let me know where would be.  Thanks.  It seems that the NetApp Powershell module does not support creating home directory shares.  Can someone shed some light on what might be going on?  Is there a way to add them via Powershell that I'm not understanding?  I keep getting "Standard shares must define an absolute share path in the Vserver's namespace."  Also the flag -DisablePathValidation doesn't make it work either.  Any help or suggestions would be appreciated.  Thank you.

 

<user> O:\>     Get-NcVserver $DestinationSVM | Add-NcCifsShare -Name "CIFS.HOMEDIR" -Path "%w" -ShareProperties $ShareProps
Add-NcCifsShare : Failed to create CIFS share CIFS.HOMEDIR. Reason: Standard shares must define an absolute share path in the Vserver's namespace.
At line:1 char:37
+ ... nationSVM | Add-NcCifsShare -Name "CIFS.HOMEDIR" -Path "%w" -SharePro ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (naeau1:NcController) [Add-NcCifsShare], EAPIERROR
    + FullyQualifiedErrorId : ApiException,DataONTAP.C.PowerShell.SDK.Cmdlets.Cifs.AddNcCifsShare

 

<user> O:\> Get-NcVserver $DestinationSVM | Add-NcCifsShare -Name "%w" -Path "%w" -ShareProperties $ShareProps -DisablePathValidation
Add-NcCifsShare : Failed to create CIFS share %w. Reason: Standard shares must define an absolute share path in the Vserver's namespace.
At line:1 char:37
+ ... nationSVM | Add-NcCifsShare -Name "%w" -Path "%w" -ShareProperties $S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (naeau1:NcController) [Add-NcCifsShare], EAPIERROR
+ FullyQualifiedErrorId : ApiException,DataONTAP.C.PowerShell.SDK.Cmdlets.Cifs.AddNcCifsShare

 

Syslog Traffic not sending through 1 node of cluster

November 9, 2016, 8:00 am
$
0
0

I have a 6 node cluster running 8.3.1P2 that has 1 node that is not able to send syslog traffic using udp 514 traffic through the firewall.  The other 5 nodes can send through with no problem.  I have configured the event destination show with the syslog destination server and also configured the event route add-destinations -messagename * -destinations allevents.

 

Ran a pktt trace with the following:

 

1) Start the packet trace:

sxvdicl01::> node run -node SXVDINO01 pktt start all -d /etc/crash

2) Run the following cluster commands:

::> date

::> network ping -node SXDINO01 -destination <syslog-destination-IP>

::> network traceroute -node SXVDINO01 -destination <syslog-destination-IP> -port 514

::> set d; event generate -messagename asup.general.create -values “Packet Trace Test”, 2

::> network ping -node SXVDINO01 -destination <syslog-destination-IP>

::> date

3) End the packet trace:

sxvdicl01::> node run -node SXVDINO01 pktt stop all

 

From the firewall side, they can see my icmp traffic going through the firewall and ping is successful.  They can also see the traceroute information failing since that is blocked on the firewall side.  They are just not able to see any UDP 514 traffic passing through or coming out of the node.  I logged onto the node directly and entered the username and password several times to generate the syslog traffic while the pktt trace was running and still no syslog traffic was being received on the firewall side.

 

Any other ideas on what I can troubleshot as to why only one node is not getting through the firewall?  I have also verified that the IP of the node mgmt is part of the firewall rule.

 

I can't upload the pktt trace since it contains IP addresses.

Search

Re: Unble to create home directory shares with Powershell - Standard shares must define an absolute

November 9, 2016, 9:53 am
$
0
0

Hello ,

 

Can you explain the "%w" value you provided for the path?  Does that denote something special?  Also, if the share(s) were to be created using the CLI, what would the command be?

 

Andrew

Re: Unble to create home directory shares with Powershell - Standard shares must define an absolute

November 9, 2016, 10:54 am
$
0
0

The equivalent commands in the CLI are:

 

vserver cifs share create -vserver dr-eau-testlab -share-name %w -path %w -share-properties oplocks,browsable,changenotify,homedirectory

vserver cifs share create -vserver dr-eau-testlab -share-name CIFS.HOMEDIR  -path %w -share-properties oplocks,browsable,changenotify,homedirectory

 

These shares appear to be documented by NetApp here:

 

https://kb.netapp.com/support/s/article/how-to-configure-clustered-data-ontap-home-directories?language=en_US

https://library.netapp.com/ecmdocs/ECMM1277801/html/nfamg/GUID-741EF656-6B92-4A28-BD98-5942AF22FDA9.html

 

Thanks!

 

 

Re: Create parent directories for a junction path using the CLI

November 9, 2016, 1:44 pm
$
0
0

Yep, I agree that creating qtrees in the root volume is cleaner than creating useless stub volumes.  Can be done from both CLI and GUI without having to rely on API.

source code of bug fix

November 10, 2016, 3:34 am
$
0
0

Good afternoon, in June 2015 Netapp opened BURT 934737 to develop a fix for stuck ownblock scanners on local backups with holes, and now the source code has been fixed in cDOT 9. We've downloaded ONTAP source code from ftp://ftp.netapp.com/frm-ntap/opensource/ but cannot find the fixed code. Where can the source code of bug fix 934737 be found? Many thanks, Frank

Powershell Add-NcCifsServer keeps failing - Cannot find an appropriate domain controller

November 10, 2016, 8:32 am
$
0
0

I'm struggling to understand why I can't create a new CIFS server from Powershell when I can do it from the CLI with the all the same settings no problem.  Since I can do it just fine from the CLI I would assume all the DNS and networking settings are correct.  Also, I've verfied I'm not making any typos when typing the userid and password for the active directory domain.  I even tried creating the computer object in AD before running Add-NcCifsServer but it didn't help.  Any help or suggestions would be appreciated!  Thanks!

 

Get-NcVserver $DestinationSVM | Add-NcCifsServer -Name $NewCIFSServerName.ToUpper() -Domain <my FQDN> -AdminUsername $DomainUser -AdminPassword $DomainPass

 

Add-NcCifsServer : Failed to create the Active Directory machine account "DRPTEST_VFILER". Reason: SecD Error: Cannot find an appropriate domain controller Details:
Error: Machine account creation procedure failed [ 0 ms] Trying to create machine account 'DRPTEST_VFILER' in domain '<my FQDN>' for
Vserver 'eau-test_vfilerrs' [ 4] Successfully connected to xxx.xxx.xxx.xxx:389 using TCP [ 107] Successfully connected to xxx.xxx.xxx.xxx:389 using
TCP [ 216] Successfully connected to xxx.xxx.xxx.xxx:389 using TCP [ 320] Successfully connected to xxx.xxx.xxx.xxx:389 using TCP [ 436] No servers found in
DNS lookup for _ldap._tcp.EauClaire._sites.<my FQDN>. [ 448] No servers found in DNS lookup for
_ldap._tcp.<my FQDN>. [ 448] No servers available for MS_LDAP_AD, vserver: 21, domain: <my FQDN>. [ 448] Cannot find any
domain controllers; verify the domain name and the node's DNS configuration **[ 448] FAILURE: Failed to find a domain controller [ 448] Uncaptured
failure while creating server account .
At line:1 char:37
+ ... nationSVM | Add-NcCifsServer -Name $NewCIFSServerName.ToUpper() -Doma ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (naeau1:NcController) [Add-NcCifsServer], EAPIERROR
+ FullyQualifiedErrorId : ApiException,DataONTAP.C.PowerShell.SDK.Cmdlets.Cifs.AddNcCifsServer

 

Viewing all 19252 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>