Subscribe
Accepted Solution

Did Name Mapping (Kerberos to UNIX) changes between Ontap 8.3 and 9.X ?

[ Edited ]

Hi,

 

We are testing an upgrade to Ontap 9.0 & 9.1rc from Ontap 8.3;

 

This name mapping works in Ontap 8.3:

Kerberos to UNIX:

Pattern: (.+)\$@DOMAIN.COM Replacement: nfsuser

 

 

This name mapping doesn't work in Ontap 9.x:

Kerberos to UNIX:

Pattern: (.+)\$@DOMAIN.COM Replacement: nfsuser

 

This is the error from my netapp:

12/2/2016 15:19:23  MYNODE     ERROR         secd.nfsAuth.problem: vserver (nfsv4) General NFS authorization problem. Error: RPC accept GSS token procedure failed

 [ 24 ms] Acquired NFS service credential for logical interface 1027 (SPN='nfs/nfsv4.domain.com@DOMAIN.COM').

 [    31] GSS_S_COMPLETE: client = 'MYCOMPUTER$@DOMAIN.COM'

 [    32] Trying to map SPN 'MYCOMPUTER$@DOMAIN.COM' to UNIX user 'MYCOMPUTER$' using implicit mapping

 [    37] Entry for user-name: MYCOMPUTER$ not found in the current source: FILES. Ignoring and trying next available source

 [    48] Successfully connected to ip 1.1.1.1 port 389 using TCP

 [  3063] LDAP search for the "uid, uidNumber, gidNumber, unixUserPassword, name, unixHomeDirectory, loginShell" attribute(s) within base "dc=domain,dc=com" (scope: 2) using filter "(&(objectClass=User)(uid=MYCOMPUTER$))" failed with error: Timed out

 [  3063]   Additional info:

 [  3064] Source: LDAP unavailable. Entry for user-name:MYCOMPUTER$ not found in any of the available sources

 [  3064] Unable to map SPN 'MYCOMPUTER$@DOMAIN.COM'

**[  3064] FAILURE: Unable to map Kerberos NFS user 'MYCOMPUTER$@DOMAIN.COM' to appropriate UNIX user

 [  3065] Failed to accept the context: The routine completed successfully (minor: Unknown error). Result = 6916

 

 

Note: this one works on the Ontap 9:

Kerberos to UNIX:

Pattern: (.+)@DOMAIN.COM Replacement: nfsuser

 

Though, I do not want all the domain krb users mapped to nfsuser only MACHINESHORTNAME$@DOMAIN.COM

 

Additionally, my LDAP translations are working:

 

diag secd authentication translate -node MYNODE -vserver NFS4  -unix-user-name MYUSERNAME
12345

 

Also, is there an easier way to test krb like unix ids?

diag secd authentication translate -node MYNODE -vserver NFS4  -unix-user-name MYUSERNAME

 

Thanks in advance.

 

Ben

Re: Did Name Mapping (Kerberos to UNIX) changes between Ontap 8.3 and 9.X ?

What's probably happening here is that the name mapping is trying to use the name without the DOMAIN.COM appended. That's why it can't seem to find it.

 

 

I'd say change the rule (or add a 2nd rule) to be (.+)\$ (without the @DOMAIN.COM portion)

 

It may be that the changes in 8.3.2 to support asymmetric name mappings caused this. See page 66 of TR-4073 for details of those.

 

http://www.netapp.com/us/media/tr-4073.pdf

 

I'd suggest opening a support case either way. If the above fixes the issue, we need to call out the default behavior in docs and file a bug.

 

If the above doesn't work, a support case can help you get to the bottom of this and file a bug if necessary.

Re: Did Name Mapping (Kerberos to UNIX) changes between Ontap 8.3 and 9.X ?

Thanks Justin; unfortunately adding another (.+)\$ name mapping rule didn’t fix the issue; I will open a support case and reference what you mentioned.

 

BTW: your (Secure Unified Authentication for NFS Kerberos, NFSv4, and LDAP in Clustered Data ONTAP) document save us lots of time setting up krb5 in our nfs environment. Thank you Smiley Happy

Re: Did Name Mapping (Kerberos to UNIX) changes between Ontap 8.3 and 9.X ?

for the sake for completion: this issue was address in: (1041909) and fixed in Data ONTAP 9.1RC2