Since the script would be run from a Windows box I'd prefer to use native Windows functions as much as possible.  I used fso to read cifsconfig_share.cfg and write the tab-delimited output and wmi to convert the SIDs. 
 
That said, my wmi code is limited to AD accounts, whereas cifs lookup can also report on local accounts.  I'll have to think about this.  Good idea.
 

From: Trinh, Ngan [mailto:Ngan.Trinh@chevron.com]
Sent: Sunday, August 26, 2007 10:50 AM
To: Jon Hill; Goodin, Jeff; toasters@mathworks.com
Subject: RE: Cifs ACL reporting

You can the following NetApp command to convert the SID id.
 
filer>  cifs lookup <SID id>
 
example:
 
filer> cifs lookup "S-1-5-32-544"
name = BUILTIN\Administrators
Ngan

From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Jon Hill
Sent: Sunday, August 26, 2007 8:52 AM
To: Goodin, Jeff; toasters@mathworks.com
Subject: RE: Cifs ACL reporting

Thanks for the idea.  That worked well.
 
To convert the SID, I used this code:
Set wmiService = GetObject("winmgmts:{impersonationLevel=Impersonate}")
Set wmiSID = wmiService.Get("Win32_SID.SID='" & strsid & "'")
strUserName = wmiSID.accountname
strUserDomain = wmiSID.ReferencedDomainName

From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Goodin, Jeff
Sent: Wednesday, August 22, 2007 9:16 AM
To: toasters@mathworks.com
Subject: RE: Cifs ACL reporting

I agree that the output formatting of some of the netapp utilities is pretty bad for scripting. 
 
We don't have spaces in any of our share paths.  My group creates the shares and we always say no to requests for paths with spaces.
 
The only thing I can think of is to parse the cifsconfig_share.cfg file in the etc directory.  Share names, paths and descriptions are quoted, so the spaces in the paths shouldn't be a problem.  The ACL's in that file are given as SID's.  I have a unix background, is there a windows utility to convert the SID to a name? 
 
You could get the share names and paths from the cifsconfig_share.cfg file and the permissions from the "cifs shares" output which is probably what I would do in your situation.  Easy to do in perl, I don't know about vbscript.
 
Jeff.

From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Jon Hill
Sent: Tuesday, August 21, 2007 5:40 PM
To: toasters@mathworks.com
Subject: Cifs ACL reporting

We have a requirement to audit our cifs share security on a monthly basis.  For my windows servers I use a vbscript leveraging WMI and the Win32_LogicalShareSecuritySetting.

The filers don't respond to the WMI calls, so I thought I'd use plink to execute a cifs shares command.  The problem is the formatting of the output of that command is atrocious - basically machine-unreadable.  If I grep for "Domain Users," for example, I miss the shares that the group has access to.  Plus the description field is usually separated from the path by a single space, which means there's no way for a script to tell where the path ends and the description begins (our paths include spaces).  FilerView produces exactly the same output.

I thought DFM might help but after reviewing the documentation it doesn't look like it applies.

Has anyone come up with a good way to generate a useful (preferably tab-delimited) report on a filer's share permissions?  If not I can ignore the description and path fields and kludge together the output I need.  I was just hoping for a better way.