User 'root' denied access - missing required capability: 'cli-route' - toasters

4 May 2012


      I'm seeing this error "User 'root' denied access - missing required capability: 'cli-route'" (on the console) at the cutover stage of vFiler migration under 8.1 GA
The vFiler migrations are successful, but this error is troubling for production vFiler migrations which require zero downtime.
I opened a netapp support case and posted more details here:
https://communities.netapp.com/message/80796
I'm looking to confirm the proper useradmin user->group->role mappings for root in case 8.1GA introduced some bug.
I have (note no groups for root user - should I create a root group and add the mapping to the root role?):
useradmin user list
Name: root
Info: Default system administrator.
Rid: 0
Groups:
--
useradmin group list
Name: Administrators                  
Info: Members can fully administer the filer
Rid: 544
Roles: admin
Name: Backup Operators                
Info: Members can bypass file security to backup files
Rid: 551
Roles: backup,none
Name: Compliance Administrators       
Info: Members can perform compliance operations
Rid: 131072
Roles: compliance
Name: Guests                          
Info: Users granted Guest Access
Rid: 546
Roles: none
Name: ndmp                            
Info: 
Rid: 131077
Roles: ndmp_role
Name: oragroup                        
Info: 
Rid: 131075
Roles: oracle
Name: Power Users                     
Info: Members that can share directories
Rid: 547
Roles: power
Name: Replicators                     
Info: not supported
Rid: 552
Roles: none
Name: Users                           
Info: Ordinary Users
Rid: 545
Roles: audit
--
useradmin role list 
Name:    admin                           
Info:                                    
Allowed Capabilities: login-*,cli-*,api-*,security-*
Name:    audit                           
Info:                                    
Allowed Capabilities: api-snmp-get,api-snmp-get-next
Name:    backup                          
Info:    Default role for NDMP privileges.
Allowed Capabilities: login-ndmp
Name:    compliance                      
Info:    Default role for compliance privileges.
Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*,cli-snaplock*,api-snaplock-*,api-file-*,compliance-*
Name:    ndmp_role                       
Info:                                    
Allowed Capabilities: login-ndmp
Name:    none                            
Info:                                    
Allowed Capabilities:
Name:    oracle                          
Info:                                    
Allowed Capabilities: login-ssh,cli-snap*
Name:    power                           
Info:                                    
Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh
Name:    root                            
Info:                                    
Allowed Capabilities: *
thanks