Mailing List Archive

storacl / local ontap only users
Toasters,

I have a client who needs to use SnapDrive for Windows. I'd like to
use storacl to limit SnapDrive visibility to that client's volumes and
fibre channel luns. I'd also like to avoid joining the filer to
the AD domain.

I created a local ontap account that is a member of the local
administrators ontap group. I can configure SnapDrive's transport
protocol settings to connect to the filer using the ontap account via
https. SnapDrive see's all of the volumes on that filer as
expected.


Is it possible to create storacl rules that apply to SnapDrive for
Windows when connecting via https using a local ONTAP user to a filer
that is not a member of domain? Everything I see in the storacl
documentation seems to only apply to filers that are a member of a
domain.

Much appreciated,
Phil
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
Re: storacl / local ontap only users [ In reply to ]
Toasters,

I was able to find a solution. Here are the high level steps I
followed. This all worked while CIFS was terminated. The purpose
of terminating cifs was to simulate filer that is not a member of a
domain.

1. Create local ontap account that is a member of the filers
administrators group.

2. On the Windows servers, configure a snapdrive connection to the
filer using https via SnapDrive's protocol transport settings.
Configure the connection to use the local account created in step 1.
This assumes you have the appropriate httpd options enabled on the
filer.

Note: At this point, you should have full access to the filer via
snapdrive. I wanted to limit snapdrive visibility to the
volumes/luns used by this particular windows machine. Enter storacl.

3. Launch storacl from a windows server with snapdrive installed.

4. Establish a storacl connection to the filer. Create the storacl
file (AccessControl.xml) on the filer.

5. Create storacl rules for the domain or local machine account used
to run snapdrive. Use the domain\account or local_machine\account
format when specifying the user account in the storacl rules.

Note: the storacl rules based on Active Directory or local windows
accounts worked, despite CIFS not running on the filer. This was
key! The rules I created applied specifically to the volumes/luns
this machine needed to manage.

Note: The accounts specified in this step should also be local
administrators on the windows server.

6. Launch snapdrive using one of the accounts specified in step 5 and
try managing storage from the array.

This worked for me. I still need to test this on a filer that has
never been joined to a domain. Terminating cifs may not have fully
simulated a filer that has never been joined to a domain (i.e. on a
filer that never ran cifs setup).

-Phil




On Fri, Feb 26, 2016 at 11:11 AM, Philbert Rupkins
<philbertrupkins@gmail.com> wrote:
> Toasters,
>
> I have a client who needs to use SnapDrive for Windows. I'd like to
> use storacl to limit SnapDrive visibility to that client's volumes and
> fibre channel luns. I'd also like to avoid joining the filer to
> the AD domain.
>
> I created a local ontap account that is a member of the local
> administrators ontap group. I can configure SnapDrive's transport
> protocol settings to connect to the filer using the ontap account via
> https. SnapDrive see's all of the volumes on that filer as
> expected.
>
>
> Is it possible to create storacl rules that apply to SnapDrive for
> Windows when connecting via https using a local ONTAP user to a filer
> that is not a member of domain? Everything I see in the storacl
> documentation seems to only apply to filers that are a member of a
> domain.
>
> Much appreciated,
> Phil
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters