Backup and Restore CIFS shares in NetApp Clustered Data ONTAP using PowerShell

By on 04/30/2015.

powercliNetApp’s Data ONTAP operating in 7-mode kept all relevant configuration files in its root volume under /etc. These files get read at boot and are used to set up the filer. This included stuff like DNS configuration (resolv.conf), name service switches (nsswitch.conf), initial config (rc file), hosts and other various configuration files.

Another file that is stored in /etc in 7-mode is the file that builds the filer’s CIFS shares each time it is booted – cifsconfig_share.cfg.

This file is essentially a list of CIFS share and access commands that gets sourced each time the system boots. This is what one of those files looks like in 7-mode:

#Generated automatically by cifs commands
cifs shares -add "ETC$" "/etc" -comment "Remote Administration"
cifs access "ETC$" S-1-5-32-544 Full Control
cifs shares -add "HOME" "/vol/vol0/home" -comment "Default Share"
cifs access "HOME" S-NONE "nosd"
cifs shares -add "C$" "/" -comment "Remote Administration"
cifs access "C$" S-1-5-32-544 Full Control
cifs shares -add "CIFS" "/vol/cifs" -comment "CIFS"
cifs access "CIFS" S-NONE "nosd"
cifs shares -add "mixed" "/vol/mixed" -comment ""
cifs access "mixed" S-NONE "nosd"

7mode> cifs shares
Name Mount Point      Description
---- -----------      -----------
ETC$ /etc             Remote Administration
                 BUILTIN\Administrators / Full Control
HOME /vol/vol0/home   Default Share
                 everyone / Full Control
C$ /                  Remote Administration
                 BUILTIN\Administrators / Full Control
CIFS /vol/cifs        CIFS
                 everyone / Full Control
mixed /vol/mixed
                 everyone / Full Control

One benefit of this file in 7-mode was the ability to copy this file off somewhere to back up and possibly restore the shares at a later date, or even retrieve the file from snapshot.

However, with the newer clustered Data ONTAP, the concept of flat files is gone. Everything gets stored in a replicated database, which helps the cluster act like a cluster. I cover that in some detail in a previous post, NetApp cDOT, RDB, & Epsilon.

Additionally, in clustered Data ONTAP, if a CIFS server gets deleted (such as when removing it from the domain/re-adding it), the CIFS shares get blown away and would need to get re-created one by one.

So what do the people who relied on the old 7-mode CIFS share files do?

Script it out!

NetApp Data ONTAP provides a PowerShell module for storage administrators called the NetApp PowerShell ToolKit.

With the toolkit, you can leverage a wide variety of APIs to script out tasks in PowerShell. One thing that this can be used for is a backup and restore operation for CIFS shares in clustered Data ONTAP!

The scripts can be found here:

https://github.com/DatacenterDudes/cDOT-CIFS-share-backup-restore

Keep in mind that these scripts are unsupported and should be tested in your environment before relying on them. Feel free to clone them, enhance and modify as you see fit, and submit a pull request for us to review!

To use the scripts, download and import the NetApp PowerShell modules and follow these steps:

1. Before Deleting a CIFS server

.\getSharesAcls.ps1 -server <IP or hostname of mgmt LIF> -user admin -password <password> -vserver <vserver> -share * -shareFile C:\share.xml -aclFile C:\acl.xml -spit more

This will save all the shares and acls in share.xml and acl.xml file.

2. Delete and then recreate the CIFS server

3. Recreate all the shares using:

.\createSharesAcls.ps1 -server <IP or hostname of mgmt LIF> -user admin -password <password> -vserver <vserver> -shareFile C:\share.xml -aclFile C:\acl.xml -spit less

NOTE: If you don’t want to type in a password into the CLI, add it to the script as a variable.

NOTE: The scripts were written with 8.3 in mind, but I was able to use them with cDOT 8.2.x.

EXAMPLE

These are my shares:

cluster-name::*> cifs share show -vserver SVM
Vserver        Share         Path              Properties Comment  ACL
-------------- ------------- ----------------- ---------- -------- -----------
SVM            admin         /.admin           oplocks     -       Everyone / Full Control
                                               browsable
                                               changenotify
SVM            admin$        /                 browsable   -       -
SVM            c$            /                 oplocks     -       BUILTIN\Administrators / Full Control
                                               browsable
                                               changenotify
SVM            ipc$          /                 browsable   -        -
SVM            mixed         /mixed            oplocks     -        Administrator / Full Control
                                               browsable            Everyone / Full Control
                                               changenotify
SVM            ntfs          /ntfs             oplocks     -        administrator / Full Control
                                               browsable            DOMAIN\administrator / Full Control
                                               changenotify         DOMAIN\pcuser / No access
                                                                    DOMAIN\rogroup / Full Control
                                                                    DOMAIN\rwgroup / Full Control
                                                                    Everyone / Full Control
                                                                    rogroup / Read
                                                                    rwgroup / Change
SVM            unix          /unix             oplocks     -        Everyone / Full Control
                                               browsable
                                               changenotify
7 entries were displayed.

Then I backed them up:

PS C:\> .\getSharesAcls.ps1 -server cluster-name -user admin -password password -vserver SVM -share * -shareFile SVM-shares.xml -aclFile SVM-ACLs.xml

 cmdlet getSharesAcls.ps1 at command pipeline position 1
 Supply values for the following parameters:
 spit: more

************************SHARES START*****************************************
 Acl : {Everyone / Full Control}
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode : manual
 Path : /.admin
 ShareName : admin
 ShareProperties : {oplocks, browsable, changenotify}
 SymlinkProperties : {enable}
 Volume :
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

 Acl :
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode :
 Path : /
 ShareName : admin$
 ShareProperties : {browsable}
 SymlinkProperties :
 Volume : rootvol
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

 Acl : {BUILTIN\Administrators / Full Control}
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode :
 Path : /
 ShareName : c$
 ShareProperties : {oplocks, browsable, changenotify}
 SymlinkProperties : {enable}
 Volume : rootvol
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

 Acl :
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode :
 Path : /
 ShareName : ipc$
 ShareProperties : {browsable}
 SymlinkProperties :
 Volume : rootvol
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

 Acl : {Administrator / Full Control, Everyone / Full Control}
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode : manual
 Path : /mixed
 ShareName : mixed
 ShareProperties : {oplocks, browsable, changenotify}
 SymlinkProperties : {enable}
 Volume : mixed
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

 Acl : {administrator / Full Control, DOMAIN\administrator / Full Control, DOMAIN\pcuser / No
 access, DOMAIN\rogroup / Full Control...}
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode : manual
 Path : /ntfs
 ShareName : ntfs
 ShareProperties : {oplocks, browsable, changenotify}
 SymlinkProperties : {enable}
 Volume : ntfs
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

 Acl : {Everyone / Full Control}
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode : manual
 Path : /unix
 ShareName : unix
 ShareProperties : {oplocks, browsable, changenotify}
 SymlinkProperties : {enable}
 Volume : unix
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

************************SHARES END*****************************************

************************ACLS START*****************************************
 NcController : cluster-name
 Permission : full_control
 Share : admin
 UserOrGroup : Everyone
 Vserver : SVM
 Winsid : S-1-1-0

 NcController : cluster-name
 Permission : full_control
 Share : c$
 UserOrGroup : BUILTIN\Administrators
 Vserver : SVM
 Winsid : S-1-5-32-544

 NcController : cluster-name
 Permission : full_control
 Share : mixed
 UserOrGroup : Administrator
 Vserver : SVM
 Winsid : S-1-5-21-2671530877-738781316-3150489991-500

 NcController : cluster-name
 Permission : full_control
 Share : mixed
 UserOrGroup : Everyone
 Vserver : SVM
 Winsid : S-1-1-0

 NcController : cluster-name
 Permission : full_control
 Share : ntfs
 UserOrGroup : administrator
 Vserver : SVM
 Winsid : S-1-5-21-2671530877-738781316-3150489991-500

 NcController : cluster-name
 Permission : full_control
 Share : ntfs
 UserOrGroup : DOMAIN\administrator
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-500

 NcController : cluster-name
 Permission : no_access
 Share : ntfs
 UserOrGroup : DOMAIN\pcuser
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-1268

 NcController : cluster-name
 Permission : full_control
 Share : ntfs
 UserOrGroup : DOMAIN\rogroup
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-1256

 NcController : cluster-name
 Permission : full_control
 Share : ntfs
 UserOrGroup : DOMAIN\rwgroup
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-1255

 NcController : cluster-name
 Permission : full_control
 Share : ntfs
 UserOrGroup : Everyone
 Vserver : SVM
 Winsid : S-1-1-0

 NcController : cluster-name
 Permission : read
 Share : ntfs
 UserOrGroup : rogroup
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-1256

 NcController : cluster-name
 Permission : change
 Share : ntfs
 UserOrGroup : rwgroup
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-1255

 NcController : cluster-name
 Permission : full_control
 Share : unix
 UserOrGroup : Everyone
 Vserver : SVM
 Winsid : S-1-1-0

************************ACLS END*****************************************

Then I deleted my shares:

cluster-name::*> cifs share delete -vserver SVM -share-name *
Error: command failed on vserver "SVM" share-name "admin$": You are not permitted to remove admin shares
Warning: Do you want to continue running this command? {y|n}: y
Error: command failed on vserver "SVM" share-name "c$": You are not permitted to remove admin shares
Warning: Do you want to continue running this command? {y|n}: y
Error: command failed on vserver "SVM" share-name "ipc$": You are not permitted to remove admin shares
Warning: Do you want to continue running this command? {y|n}: y
Warning: The supplied share name is not quoted and contains special query characters that can match multiple shares.
 Do you want to continue? {y|n}: y
4 entries were deleted.

cluster-name::*> cifs share show -vserver SVM
 Vserver        Share         Path              Properties Comment  ACL
 -------------- ------------- ----------------- ---------- -------- -----------
 SVM            admin$        /                 browsable  -        -
 SVM            c$            /                 oplocks    -        BUILTIN\Administrators / Full Control
                                                browsable
                                                changenotify
 SVM            ipc$          /                 browsable  -        -
 3 entries were displayed.

Then I ran the script to restore them.

PS C:\> .\createSharesAcls.ps1 -server cluster-name -user admin -password password -vserver SVM -shareFile SVM-shares.xml -aclFile SVM-ACLs.xml -spit more
 =====================================================================================
 SHARES
 =====================================================================================
 Acl : {Everyone / Full Control}
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode : manual
 Path : /.admin
 ShareName : admin
 ShareProperties : {oplocks, browsable, changenotify}
 SymlinkProperties : {enable}
 Volume :
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False
 
 Acl :
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode :
 Path : /
 ShareName : admin$
 ShareProperties : {browsable}
 SymlinkProperties :
 Volume : rootvol
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

 Acl : {BUILTIN\Administrators / Full Control}
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode :
 Path : /
 ShareName : c$
 ShareProperties : {oplocks, browsable, changenotify}
 SymlinkProperties : {enable}
 Volume : rootvol
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

 Acl :
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode :
 Path : /
 ShareName : ipc$
 ShareProperties : {browsable}
 SymlinkProperties :
 Volume : rootvol
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False
 
 Acl : {Administrator / Full Control, Everyone / Full Control}
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode : manual
 Path : /mixed
 ShareName : mixed
 ShareProperties : {oplocks, browsable, changenotify}
 SymlinkProperties : {enable}
 Volume : mixed
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

 Acl : {administrator / Full Control, DOMAIN\administrator / Full Control, DOMAIN\pcuser / No
 access, DOMAIN\rogroup / Full Control...}
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode : manual
 Path : /ntfs
 ShareName : ntfs
 ShareProperties : {oplocks, browsable, changenotify}
 SymlinkProperties : {enable}
 Volume : ntfs
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

 Acl : {Everyone / Full Control}
 AttributeCacheTtl :
 CifsServer : CIFS-SN1
 Comment :
 DirUmask :
 FileUmask :
 NcController : cluster-name
 OfflineFilesMode : manual
 Path : /unix
 ShareName : unix
 ShareProperties : {oplocks, browsable, changenotify}
 SymlinkProperties : {enable}
 Volume : unix
 Vserver : SVM
 AttributeCacheTtlSpecified : False
 DirUmaskSpecified : False
 FileUmaskSpecified : False

=====================================================================================
 Add-NcCifsShare -VserverContext SVM -Name "admin" -Path "/.admin" -ShareProperties "oplocks,browsable,changenotify" -SymlinkProperties "enable" -OfflineFilesMode "manual"
 --------------------
 CifsServer ShareName Path Comment
 ---------- --------- ---- -------
 CIFS-SN1 admin /.admin
 Skip adding: admin$
 --------------------
 Skip adding: c$
 --------------------
 Skip adding: ipc$
 --------------------
 Add-NcCifsShare -VserverContext SVM -Name "mixed" -Path "/mixed" -ShareProperties "oplocks,browsable,changenotify" -SymlinkProperties "enable" -OfflineFilesMode "manual"
 --------------------
 CIFS-SN1 mixed /mixed
 Add-NcCifsShare -VserverContext SVM -Name "ntfs" -Path "/ntfs" -ShareProperties "oplocks,browsable,changenotify" -SymlinkProperties "enable" -OfflineFilesMode "manual"
 --------------------
 CIFS-SN1 ntfs /ntfs
 Add-NcCifsShare -VserverContext SVM -Name "unix" -Path "/unix" -ShareProperties "oplocks,browsable,changenotify" -SymlinkProperties "enable" -OfflineFilesMode "manual"
 --------------------
 CIFS-SN1 unix /unix
 =====================================================================================
 ACLS
 =====================================================================================
 NcController : cluster-name
 Permission : full_control
 Share : admin
 UserOrGroup : Everyone
 Vserver : SVM
 Winsid : S-1-1-0

 NcController : cluster-name
 Permission : full_control
 Share : c$
 UserOrGroup : BUILTIN\Administrators
 Vserver : SVM
 Winsid : S-1-5-32-544

 NcController : cluster-name
 Permission : full_control
 Share : mixed
 UserOrGroup : Administrator
 Vserver : SVM
 Winsid : S-1-5-21-2671530877-738781316-3150489991-500

 NcController : cluster-name
 Permission : full_control
 Share : mixed
 UserOrGroup : Everyone
 Vserver : SVM
 Winsid : S-1-1-0

 NcController : cluster-name
 Permission : full_control
 Share : ntfs
 UserOrGroup : administrator
 Vserver : SVM
 Winsid : S-1-5-21-2671530877-738781316-3150489991-500

 NcController : cluster-name
 Permission : full_control
 Share : ntfs
 UserOrGroup : DOMAIN\administrator
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-500

 NcController : cluster-name
 Permission : no_access
 Share : ntfs
 UserOrGroup : DOMAIN\pcuser
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-1268

 NcController : cluster-name
 Permission : full_control
 Share : ntfs
 UserOrGroup : DOMAIN\rogroup
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-1256

 NcController : cluster-name
 Permission : full_control
 Share : ntfs
 UserOrGroup : DOMAIN\rwgroup
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-1255

 NcController : cluster-name
 Permission : full_control
 Share : ntfs
 UserOrGroup : Everyone
 Vserver : SVM
 Winsid : S-1-1-0

 NcController : cluster-name
 Permission : read
 Share : ntfs
 UserOrGroup : rogroup
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-1256

 NcController : cluster-name
 Permission : change
 Share : ntfs
 UserOrGroup : rwgroup
 Vserver : SVM
 Winsid : S-1-5-21-3413584004-3312044262-250399859-1255
 
 NcController : cluster-name
 Permission : full_control
 Share : unix
 UserOrGroup : Everyone
 Vserver : SVM
 Winsid : S-1-1-0

=====================================================================================
 Add-NcCifsShareAcl -VserverContext SVM -Share "admin" -UserOrGroup "Everyone" -Permission "full_control"
 --------------------
Share UserOrGroup Permission
 ----- ----------- ----------
 admin Everyone full_control
 Skip adding Acls for c$
 --------------------
 Add-NcCifsShareAcl -VserverContext SVM -Share "mixed" -UserOrGroup "Administrator" -Permission "full_control"
 --------------------
 mixed Administrator full_control
 Add-NcCifsShareAcl -VserverContext SVM -Share "mixed" -UserOrGroup "Everyone" -Permission "full_control"
 --------------------
 mixed Everyone full_control
 Add-NcCifsShareAcl -VserverContext SVM -Share "ntfs" -UserOrGroup "administrator" -Permission "full_control"
 --------------------
 ntfs administrator full_control
 Add-NcCifsShareAcl -VserverContext SVM -Share "ntfs" -UserOrGroup "DOMAIN\administrator" -Permission "full_control"
 --------------------
 ntfs DOMAIN\admin... full_control
 Add-NcCifsShareAcl -VserverContext SVM -Share "ntfs" -UserOrGroup "DOMAIN\pcuser" -Permission "no_access"
 --------------------
 ntfs DOMAIN\pcuser no_access
 Add-NcCifsShareAcl -VserverContext SVM -Share "ntfs" -UserOrGroup "DOMAIN\rogroup" -Permission "full_control"
 --------------------
 ntfs DOMAIN\rogroup full_control
 Add-NcCifsShareAcl -VserverContext SVM -Share "ntfs" -UserOrGroup "DOMAIN\rwgroup" -Permission "full_control"
 --------------------
 ntfs DOMAIN\rwgroup full_control
 Add-NcCifsShareAcl -VserverContext SVM -Share "ntfs" -UserOrGroup "Everyone" -Permission "full_control"
 --------------------
 ntfs Everyone full_control
 Add-NcCifsShareAcl -VserverContext SVM -Share "ntfs" -UserOrGroup "rogroup" -Permission "read"
 --------------------
 ntfs rogroup read
 Add-NcCifsShareAcl -VserverContext SVM -Share "ntfs" -UserOrGroup "rwgroup" -Permission "change"
 --------------------
 Add-NcCifsShareAcl -VserverContext SVM -Share "unix" -UserOrGroup "Everyone" -Permission "full_control"
 --------------------
 unix Everyone full_control

This is the result:

cluster-name::*> cifs share show -vserver SVM
Vserver        Share         Path              Properties Comment  ACL
-------------- ------------- ----------------- ---------- -------- -----------
SVM            admin         /.admin           oplocks     -       Everyone / Full Control
                                               browsable
                                               changenotify
SVM            admin$        /                 browsable   -       -
SVM            c$            /                 oplocks     -       BUILTIN\Administrators / Full Control
                                               browsable
                                               changenotify
SVM            ipc$          /                 browsable   -        -
SVM            mixed         /mixed            oplocks     -        Administrator / Full Control
                                               browsable            Everyone / Full Control
                                               changenotify
SVM            ntfs          /ntfs             oplocks     -        administrator / Full Control
                                               browsable            DOMAIN\administrator / Full Control
                                               changenotify         DOMAIN\pcuser / No access
                                                                    DOMAIN\rogroup / Full Control
                                                                    DOMAIN\rwgroup / Full Control
                                                                    Everyone / Full Control
                                                                    rogroup / Read
                                                                    rwgroup / Change
SVM            unix          /unix             oplocks     -        Everyone / Full Control
                                               browsable
                                               changenotify
7 entries were displayed.

Now you can back up and restore your CIFS shares in cDOT!

Justin Parisi
Tech Mktg Engineer at NetApp
Justin is a Tech Marketing Engineer for all-things NFS around Data ONTAP at NetApp. He is a VMware vExpert, Cisco Champion, and a member of the NetApp A-Team. He also enjoys comic books, video games, photography, music, film, and current events/politics.

5 Comments