Update : Issue is gone with Ontap 9.6+
This some nasty behavior I observed on Ontap, if you rename Users or Groups in your active directory c-Dot Ontap will keep them in the CIFS ACL, even after deleting all the caches.
Everything will work but it just bugs when you troubleshoot CIFS access. As it memorize the SID fine you can use the function from my last blog post to set remove and add them, this happens so fast that i did not see any disruption.
$admcdot = New-Object System.Management.Automation.PsCredential('admin',$(ConvertTo-SecureString -String 'huehuehue' -AsPlainText -force))
Connect-NcController MyNetappCdotStorage -Credential $admcdot
function Get-SID_NAME(
[Parameter(Position=2)][string]$domain=$env:userdomain,
[Parameter(Mandatory=$True,Position=1)][string]$search,
[switch]$Local)
{
if($search -match '\\'){
$domain=$search.Split('\')[0]
$search=$search.Split('\')[1]
}
if($search -match '^S-1-5-21-'){
$objSID = New-Object System.Security.Principal.SecurityIdentifier($search)
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
return $objUser.Value
}else{
if($Local){
$objUser = New-Object System.Security.Principal.NTAccount($search)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
return $strSID.Value
} else {
$objUser = New-Object System.Security.Principal.NTAccount($domain, $search)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
return $strSID.Value
}
}
}
Get-NcCifsShareAcl|?{($_.UserOrGroup -match '^MYDOMAIN') -and ($_.UserOrGroup -notmatch 'admins$') -and ($_.Vserver -notmatch 'mc$') }|%{
if(-not $(Get-SID_NAME $_.UserOrGroup)){
Remove-NcCifsShareAcl -Share $_.Share -User $_.UserOrGroup -VserverContext $_.Vserver
Add-NcCifsShareAcl -Share $_.Share -UserOrGroup $(Get-SID_Name $_.Winsid) -Permission $_.Permission -VserverContext $_.Vserver
}
}
Keine Kommentare:
Kommentar veröffentlichen