We have a requirement to audit our cifs share security on a monthly basis. For my windows servers I use a vbscript leveraging WMI and the Win32_LogicalShareSecuritySetting.
The filers don't respond to the WMI calls, so I thought I'd use plink to execute a cifs shares command. The problem is the formatting of the output of that command is atrocious - basically machine-unreadable. If I grep for "Domain Users," for example, I miss the shares that the group has access to. Plus the description field is usually separated from the path by a single space, which means there's no way for a script to tell where the path ends and the description begins (our paths include spaces). FilerView produces exactly the same output.
I thought DFM might help but after reviewing the documentation it doesn't look like it applies.
Has anyone come up with a good way to generate a useful (preferably tab-delimited) report on a filer's share permissions? If not I can ignore the description and path fields and kludge together the output I need. I was just hoping for a better way.
I agree that the output formatting of some of the netapp utilities is pretty bad for scripting.
We don't have spaces in any of our share paths. My group creates the shares and we always say no to requests for paths with spaces.
The only thing I can think of is to parse the cifsconfig_share.cfg file in the etc directory. Share names, paths and descriptions are quoted, so the spaces in the paths shouldn't be a problem. The ACL's in that file are given as SID's. I have a unix background, is there a windows utility to convert the SID to a name?
You could get the share names and paths from the cifsconfig_share.cfg file and the permissions from the "cifs shares" output which is probably what I would do in your situation. Easy to do in perl, I don't know about vbscript.
Jeff.
_____
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Jon Hill Sent: Tuesday, August 21, 2007 5:40 PM To: toasters@mathworks.com Subject: Cifs ACL reporting
We have a requirement to audit our cifs share security on a monthly basis. For my windows servers I use a vbscript leveraging WMI and the Win32_LogicalShareSecuritySetting.
The filers don't respond to the WMI calls, so I thought I'd use plink to execute a cifs shares command. The problem is the formatting of the output of that command is atrocious - basically machine-unreadable. If I grep for "Domain Users," for example, I miss the shares that the group has access to. Plus the description field is usually separated from the path by a single space, which means there's no way for a script to tell where the path ends and the description begins (our paths include spaces). FilerView produces exactly the same output.
I thought DFM might help but after reviewing the documentation it doesn't look like it applies.
Has anyone come up with a good way to generate a useful (preferably tab-delimited) report on a filer's share permissions? If not I can ignore the description and path fields and kludge together the output I need. I was just hoping for a better way.
Thanks for the idea. That worked well.
To convert the SID, I used this code:
Set wmiService = GetObject("winmgmts:{impersonationLevel=Impersonate}") Set wmiSID = wmiService.Get("Win32_SID.SID='" & strsid & "'") strUserName = wmiSID.accountname strUserDomain = wmiSID.ReferencedDomainName
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Goodin, Jeff Sent: Wednesday, August 22, 2007 9:16 AM To: toasters@mathworks.com Subject: RE: Cifs ACL reporting
I agree that the output formatting of some of the netapp utilities is pretty bad for scripting.
We don't have spaces in any of our share paths. My group creates the shares and we always say no to requests for paths with spaces.
The only thing I can think of is to parse the cifsconfig_share.cfg file in the etc directory. Share names, paths and descriptions are quoted, so the spaces in the paths shouldn't be a problem. The ACL's in that file are given as SID's. I have a unix background, is there a windows utility to convert the SID to a name?
You could get the share names and paths from the cifsconfig_share.cfg file and the permissions from the "cifs shares" output which is probably what I would do in your situation. Easy to do in perl, I don't know about vbscript.
Jeff.
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Jon Hill Sent: Tuesday, August 21, 2007 5:40 PM To: toasters@mathworks.com Subject: Cifs ACL reporting
We have a requirement to audit our cifs share security on a monthly basis. For my windows servers I use a vbscript leveraging WMI and the Win32_LogicalShareSecuritySetting.
The filers don't respond to the WMI calls, so I thought I'd use plink to execute a cifs shares command. The problem is the formatting of the output of that command is atrocious - basically machine-unreadable. If I grep for "Domain Users," for example, I miss the shares that the group has access to. Plus the description field is usually separated from the path by a single space, which means there's no way for a script to tell where the path ends and the description begins (our paths include spaces). FilerView produces exactly the same output.
I thought DFM might help but after reviewing the documentation it doesn't look like it applies.
Has anyone come up with a good way to generate a useful (preferably tab-delimited) report on a filer's share permissions? If not I can ignore the description and path fields and kludge together the output I need. I was just hoping for a better way.
You can the following NetApp command to convert the SID id.
filer> cifs lookup <SID id>
example:
filer> cifs lookup "S-1-5-32-544" name = BUILTIN\Administrators
Ngan
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Jon Hill Sent: Sunday, August 26, 2007 8:52 AM To: Goodin, Jeff; toasters@mathworks.com Subject: RE: Cifs ACL reporting
Thanks for the idea. That worked well.
To convert the SID, I used this code:
Set wmiService = GetObject("winmgmts:{impersonationLevel=Impersonate}") Set wmiSID = wmiService.Get("Win32_SID.SID='" & strsid & "'") strUserName = wmiSID.accountname strUserDomain = wmiSID.ReferencedDomainName
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Goodin, Jeff Sent: Wednesday, August 22, 2007 9:16 AM To: toasters@mathworks.com Subject: RE: Cifs ACL reporting
I agree that the output formatting of some of the netapp utilities is pretty bad for scripting.
We don't have spaces in any of our share paths. My group creates the shares and we always say no to requests for paths with spaces.
The only thing I can think of is to parse the cifsconfig_share.cfg file in the etc directory. Share names, paths and descriptions are quoted, so the spaces in the paths shouldn't be a problem. The ACL's in that file are given as SID's. I have a unix background, is there a windows utility to convert the SID to a name?
You could get the share names and paths from the cifsconfig_share.cfg file and the permissions from the "cifs shares" output which is probably what I would do in your situation. Easy to do in perl, I don't know about vbscript.
Jeff.
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Jon Hill Sent: Tuesday, August 21, 2007 5:40 PM To: toasters@mathworks.com Subject: Cifs ACL reporting
We have a requirement to audit our cifs share security on a monthly basis. For my windows servers I use a vbscript leveraging WMI and the Win32_LogicalShareSecuritySetting.
The filers don't respond to the WMI calls, so I thought I'd use plink to execute a cifs shares command. The problem is the formatting of the output of that command is atrocious - basically machine-unreadable. If I grep for "Domain Users," for example, I miss the shares that the group has access to. Plus the description field is usually separated from the path by a single space, which means there's no way for a script to tell where the path ends and the description begins (our paths include spaces). FilerView produces exactly the same output.
I thought DFM might help but after reviewing the documentation it doesn't look like it applies.
Has anyone come up with a good way to generate a useful (preferably tab-delimited) report on a filer's share permissions? If not I can ignore the description and path fields and kludge together the output I need. I was just hoping for a better way.
Since the script would be run from a Windows box I'd prefer to use native Windows functions as much as possible. I used fso to read cifsconfig_share.cfg and write the tab-delimited output and wmi to convert the SIDs.
That said, my wmi code is limited to AD accounts, whereas cifs lookup can also report on local accounts. I'll have to think about this. Good idea.
________________________________
From: Trinh, Ngan [mailto:Ngan.Trinh@chevron.com] Sent: Sunday, August 26, 2007 10:50 AM To: Jon Hill; Goodin, Jeff; toasters@mathworks.com Subject: RE: Cifs ACL reporting
You can the following NetApp command to convert the SID id.
filer> cifs lookup <SID id>
example:
filer> cifs lookup "S-1-5-32-544" name = BUILTIN\Administrators
Ngan
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Jon Hill Sent: Sunday, August 26, 2007 8:52 AM To: Goodin, Jeff; toasters@mathworks.com Subject: RE: Cifs ACL reporting
Thanks for the idea. That worked well.
To convert the SID, I used this code:
Set wmiService = GetObject("winmgmts:{impersonationLevel=Impersonate}") Set wmiSID = wmiService.Get("Win32_SID.SID='" & strsid & "'") strUserName = wmiSID.accountname strUserDomain = wmiSID.ReferencedDomainName
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Goodin, Jeff Sent: Wednesday, August 22, 2007 9:16 AM To: toasters@mathworks.com Subject: RE: Cifs ACL reporting
I agree that the output formatting of some of the netapp utilities is pretty bad for scripting.
We don't have spaces in any of our share paths. My group creates the shares and we always say no to requests for paths with spaces.
The only thing I can think of is to parse the cifsconfig_share.cfg file in the etc directory. Share names, paths and descriptions are quoted, so the spaces in the paths shouldn't be a problem. The ACL's in that file are given as SID's. I have a unix background, is there a windows utility to convert the SID to a name?
You could get the share names and paths from the cifsconfig_share.cfg file and the permissions from the "cifs shares" output which is probably what I would do in your situation. Easy to do in perl, I don't know about vbscript.
Jeff.
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Jon Hill Sent: Tuesday, August 21, 2007 5:40 PM To: toasters@mathworks.com Subject: Cifs ACL reporting
We have a requirement to audit our cifs share security on a monthly basis. For my windows servers I use a vbscript leveraging WMI and the Win32_LogicalShareSecuritySetting.
The filers don't respond to the WMI calls, so I thought I'd use plink to execute a cifs shares command. The problem is the formatting of the output of that command is atrocious - basically machine-unreadable. If I grep for "Domain Users," for example, I miss the shares that the group has access to. Plus the description field is usually separated from the path by a single space, which means there's no way for a script to tell where the path ends and the description begins (our paths include spaces). FilerView produces exactly the same output.
I thought DFM might help but after reviewing the documentation it doesn't look like it applies.
Has anyone come up with a good way to generate a useful (preferably tab-delimited) report on a filer's share permissions? If not I can ignore the description and path fields and kludge together the output I need. I was just hoping for a better way.
-
Goodin, Jeff -
Jon Hill -
Trinh, Ngan