Toasters,
I have a client who needs to use SnapDrive for Windows. I'd like to use storacl to limit SnapDrive visibility to that client's volumes and fibre channel luns. I'd also like to avoid joining the filer to the AD domain.
I created a local ontap account that is a member of the local administrators ontap group. I can configure SnapDrive's transport protocol settings to connect to the filer using the ontap account via https. SnapDrive see's all of the volumes on that filer as expected.
Is it possible to create storacl rules that apply to SnapDrive for Windows when connecting via https using a local ONTAP user to a filer that is not a member of domain? Everything I see in the storacl documentation seems to only apply to filers that are a member of a domain.
Much appreciated, Phil
Toasters,
I was able to find a solution. Here are the high level steps I followed. This all worked while CIFS was terminated. The purpose of terminating cifs was to simulate filer that is not a member of a domain.
1. Create local ontap account that is a member of the filers administrators group.
2. On the Windows servers, configure a snapdrive connection to the filer using https via SnapDrive's protocol transport settings. Configure the connection to use the local account created in step 1. This assumes you have the appropriate httpd options enabled on the filer.
Note: At this point, you should have full access to the filer via snapdrive. I wanted to limit snapdrive visibility to the volumes/luns used by this particular windows machine. Enter storacl.
3. Launch storacl from a windows server with snapdrive installed.
4. Establish a storacl connection to the filer. Create the storacl file (AccessControl.xml) on the filer.
5. Create storacl rules for the domain or local machine account used to run snapdrive. Use the domain\account or local_machine\account format when specifying the user account in the storacl rules.
Note: the storacl rules based on Active Directory or local windows accounts worked, despite CIFS not running on the filer. This was key! The rules I created applied specifically to the volumes/luns this machine needed to manage.
Note: The accounts specified in this step should also be local administrators on the windows server.
6. Launch snapdrive using one of the accounts specified in step 5 and try managing storage from the array.
This worked for me. I still need to test this on a filer that has never been joined to a domain. Terminating cifs may not have fully simulated a filer that has never been joined to a domain (i.e. on a filer that never ran cifs setup).
-Phil
On Fri, Feb 26, 2016 at 11:11 AM, Philbert Rupkins philbertrupkins@gmail.com wrote:
Toasters,
I have a client who needs to use SnapDrive for Windows. I'd like to use storacl to limit SnapDrive visibility to that client's volumes and fibre channel luns. I'd also like to avoid joining the filer to the AD domain.
I created a local ontap account that is a member of the local administrators ontap group. I can configure SnapDrive's transport protocol settings to connect to the filer using the ontap account via https. SnapDrive see's all of the volumes on that filer as expected.
Is it possible to create storacl rules that apply to SnapDrive for Windows when connecting via https using a local ONTAP user to a filer that is not a member of domain? Everything I see in the storacl documentation seems to only apply to filers that are a member of a domain.
Much appreciated, Phil
-
Philbert Rupkins