ONTAP Discussions

snapdrive, windows 2008 X64, pass through authentication

ianaforbes
8,728 Views

I have a filer which is not part of a Active Directory domain. It's running 7.2.5.1. There is no CIFS license installed on the filer (and none forthcoming). Snapdrive 6.0.1 is installed on a Windows 2008X64 server. I'm attempting to configure pass-through authentication as described in the docs.

I've created a local snapdrive user and add it to the Windows local administrators group. I've created a local user on the filer called snapdrive and added it to the BUILTIN\Administrators group on the filer. The passwords I've created for the Windows snapdrive user is identical to the filer snapdrive user.

I've installed snapdrive as the local snapdrive user. Everything looks fine when I open up the Snapdrive MMC. When I attempt to create a disk via snapdrive I get the following error:

SnapDrive Error

Access is denied

I've configured pass through authentication successfully in the past on Windows 2000/2003. Not sure if this is a Windows 2008 problem. Firewall has been completely turned off the Windows server.

Any suggestions?

30 REPLIES 30

ianaforbes
7,579 Views

So, I decided to join the filer to AD to see if the pass through authentication was the problem. This way I could follow the regular method of using a domain account to install snapdrive. After installing snapdrive with the filer part of the domain I'm still getting the same error - Access denied, when I try and create a disk via snapdrive.

I checked the syslog and found the following:

Sun Mar  8 12:17:05 EDT useradmin.unauthorized.user: User 'eone\snapdrive' denied access - missing required capability: 'login-http-admin'
Sun Mar  8 12:17:05 EDT [Ripley: HTTPPool04:warning]: HTTP Authentication from 10.10.0.53 to realm Administration failed

eone\snapdrive is the snapdrive service account. It's been added to the filer's BUILTIN\Administrators group and the Windows server's local administrators group. As additional information - The Windows server is running Exchange 2007 if that is useful information.

Hoping someone can help resolve.

sourav
7,579 Views

Hi Ian,

Which transport protocol are you using?


Regards,

Sourav.

ianaforbes
7,579 Views

Hi Sourav

I was using the default RPC transport. Do you have to specifically configure RPC transport from within the snapdrive mmc properties, or is that default during setup? If I changed it to HTTP does that mean that snapdrive is making calls to the filer via http and would that make a difference as to me getting what seems to be a permissions issue? At this point I'm wondering if it's some sort of DCOM issue. All firewalls are turned off.

The odd thing is that I've got this working on a lab setup (Windows 2008 X64, snapdrive 6.0.2, ONTAP simulator)

ianaforbes
7,579 Views

Any takers?? I'm stuck on this and could really use some advice . There must be someone who has configured snapdrive pass through authentication successfully before. I'm thinking it's a Windows 2008 issue - possibly a bug, but dunno for sure.

Any help would be most appreciated.

Thanks

arqureshi
7,579 Views

Have you tried to reset the password on the snapdrive account on the filer. Just finished a customer install 6 Windows 2008 servers configured the same way. Had the same error pop up on the fist server and I used the passwd command to rest password on the user account ( I believe I fat fingered it the first time)





ianaforbes
7,321 Views

Hi Asif

I'll try and reset the password on the filer and see what happens. Does anything else about what I explained seem incorrect?

Thanks

lamarca
7,321 Views

Ian,

I assume you looked at the installation guide: http://now.netapp.com/NOW/knowledge/docs/snapdrive/relsnap602/pdfs/admin.pdf and also made sure the SnapDrive account on the controller (local Administation group) and server (run as a service and local admin rights to server) have the correct rights (check pg. 44 of the guide).

Also in the guide you can look to use the http or https protocols as well (new in Snap Drive 6.0).

But from your previous e-mails it looks like you have it right, you might just want to check the groups the accounts are in against the Admin guide.

Ray LaMarca

Technical Partner Manager

 

Raymond.Lamarca@netapp.com

http://www.netapp.com

W: 847-430-6547

C:847-529-8931

 

Got questions? Get answers in the Partner Network.

http://communities.netapp.com/community/netapp_partners_network

ianaforbes
7,321 Views

Hi Raymond

Thanks for the reply. Yes, I think I've read that guide many time now . The snapdrive account I created on the Windows host is a local account that I added to the local administrators group on the windows host.

The snapdrive account I created on the filer is the same name (snapdrive) as the windows host account. I used the following command to create it:

useradmin user add snapdrive -g Administrators

I have chosen to use RPC transport. Something I noticed:

Considerations

You might need to use pass-through authentication for one of the following reasons:

You do not have a domain controller available.

You want to install your Windows host as a stand-alone server in a workgroup environment without

any dependency on another system for authentication, even if there is a domain controller available.



Your Windows host and the storage system are in two different domains.

Your Windows host is in a domain and you want to keep the storage system in a workgroup with

Now, my windows host is in a domain. The filer doesn't have CIFS so I've never run CIFS setup. Is the filer automatically in a workgroup if I don't run CIFS setup? Would pass through authentication still be vaild for my situation?

Lastly, would I have to log into the Windows host as the local snapdrive service account I created in order to install snapdrive, or would logging into the windows host with a domain account and later specifying the local snapdrive account during install be sufficient?





ianaforbes
6,776 Views

I'm officially defeated. I've tried EVERYTHING to get what's supposed to be a simple process to work and keep getting access denied when trying to create a disk via snapdrive. I've tried all different transports and the same thing. I've no idea what could be the problem at this point. Incredibly disappointing to say the least. Even the Windows event logs just say access denied...very informative.

ianaforbes
7,579 Views

Hi Asif

I just reset the snapdrive account on the filer and still get the same access denied on the Snapdrive console when I try and create a disk. Could you please step through your steps that you did to get this to work? I'd really appreciate it.

Thanks

arqureshi
7,034 Views

Hi Ian,

Here are the steps I completed

On Windows server

Disabled the windows firewall service

Enabled the ssdp and upnp servive

added web server role and IIS

created a domain account called "snapdrive" and add it to the local admins group

ran snapdrive setup and add the snapdrive account during the setup

On storage controller

ran cifs setup and joined to workgroup

created a local account called snapdrive and added it to the administrators group (your syntax is correct)

set the password for snapdrive same as the domain\snapdrive account

I'll confirm to make sure that we did end up using that domain account and post my reply tomorrow.

if you issue useradmin user list command, do you see the user account

ianaforbes
6,776 Views

Hi Asif

You created a domain account? I thought the docs stated to create a local snapdrive account:



On each Windows host that needs access to the storage system, create a local user account with

administrative rights on the host, using the same user name and password that you speci

fied in Step

1 and Step 2.



Tip:

Set up the local user account so that the password for the account never expires.

I'll try a domain user account instead and see if that makes a difference.

I don't have a CIFS license at all. Therefore, is the filer automatically in a workgroup or does the filer NEED a CIFS license in order to be part of a workgroup? The bigger question would be, does pass through authentication work without a CIFS license on the filer AND therefore never having run CIFS setup?

Where in 2008 do you enable ssdp and upnp?

Thanks





ianaforbes
7,034 Views

Asif

You are a genious my friend! Netapp needs to change their documentation on pass through authentication immediatly. It specifically states to create a local user acount on the Windows host and add it to the local administrators group on the host. That is 100% incorrect.

What worked was when I created a domain account and added that domain account to the local administrators group. I then changed the snapdrive service to log on with this domain account and voila...no more access denied.

It'd be great if Netapp refreshed their documenation once in awhile, especially when dealing with a new OS. What might have worked in Windows 2000/2003 doesn't necessarily mean it'll work with 2008.

Thanks again Asif and Raymond for the help.

Cheers

arqureshi
6,776 Views

Hey Ian,

I'm glad it is working for you. You are welcome

jjakowski
7,034 Views

Hi Ian -

Would you mind detailing your entire setup?  We are running into the same issue, although it's on a SQL cluster, not on Exchange.

Thanks

Justin

ianaforbes
6,689 Views

Hi Justin

My setup was exactly as I described at the beginning of this post. I followed the pass through authentication to a tee, as described in the snapdrive docs. I thiught I had gotten it working (as announced earlier) but was wrong. I've found the only way to get it working was with a CIFS license, and both filer and host joined to the same domain. I couldn't get it to work otherwise. I had opened a ticket with Netapp support and that went knowhere fast.

The folks within the community are very knowlwdgeable. The support folks.....are not.

Cheers

jjakowski
6,689 Views

Thanks Ian.  I am quickly coming to the same conclusion, both about support and setting up pass through authentication.  I have also tried HTTP(S), or web authentication as well and unfortunatly that just generates a different error "A security package specific error occurred."

Guess I will look into adding these to the domain.

ianaforbes
6,689 Views

What is you setup btw? I'm thinking this could be a bug. I have gotten it to work back in the day using Windows 2000/Snapdrive 3.X. I haven't tried it since and wonder if it even still works. Are you also running Windows 2008/Snapdrive 6.X?

jjakowski
6,689 Views

OnTap 7.3P6

Windows Server 2008 x64 Node and Disk Majority cluster

SQL Server 2008

2003 AD in Native Mode

Snapdrive 6.0.1

FWIW, we did get this to work with a 2008 x64 file share witness cluster running Exchange 2007 by setting one node to a local account and the other node to a domain account.  Nothing seems to help the Disk Majority cluster though.

We have decided to join the controllers to the domain and see what happens.

Thanks again.

Justin

arqureshi
6,613 Views

Hey Justin,

I actually prefer joining the controllers to the domain (this way do don't have to maintain 2 sets of SnapDrive accounts) In the setup I mentioned on this thread I did not have the option to do that so I ran CIFS setup and joined the controller to the workgroup. Are you getting access denied trying to browse the controller using SnapDrive? Here is the way I have it setup

Storage controllers joined to the workgroup CIFS running (you can do this even if you don't have a CIFS license. NetApp provides this scaled down version of CIFS to use with SnapDrive 5 (as long as you have FCP licensed)

Windows x64 servers (clusters Exchange and SQL) joined to the customer domain

Created a domain account called snap.drive and added it to the local administrators groups on the windows servers

Created a local account called sna.drive and added it to the local administrators group on the NetApp controllers (make user password for both accounts is the same)

Restarted SnapDrive service on the Windows server

I do have data on tap 7.2.6 running at this customer so not sure if that make a difference or not

Asif



Public