Subscribe

vsadmin/user authentication against AD via ldap only?

Hello all,

 

I'm currently trying to get vsadmin authentication, against AD, working without using a CIFS enabled SVM. My LDAP queries seem to be working just fine when debugging things with secd. However I just can't get the actual logging in to work for the other engineers.

 

Is what I want even possible? All I've found on what I want if at the bottom of page 117 of the ontop sysadmin guide for 8.3. However what I'm actually doing is LDAP authentication that happens to be coming from my AD server (could just as well be openldap), do anyone have an idea what could be happening here?

 

The error I'm encountering is:

clust-dr-1::*> diag secd name-mapping show -node clust-dr-1a  -vserver clust-dr-1-backup -direction unix-win sjoerdoo

Vserver: clust-dr-1-backup (internal ID: 2)

Error: RPC map name request procedure failed
  [  1 ms] Using a cached connection to <removed ip>
  [     3] Trying to map 'sjoerdoo' to Windows user
           'MYDOMAIN\sjoerdoo' using LDAP
  [     4] 'CifsServerSecurity' configuration not available
  [     4] Could not find Windows name 'MYDOMAIN\sjoerdoo'
**[     4] FAILURE: Name mapping for UNIX user 'sjoerdoo' failed
**         with transient errors.

Error: command failed: Failed to find mapping for the user. Reason: "SecD Error: The mapping operation
       failed due to some transient failure".

The 8.3 cdot admin guide says:

 Authentication methods for user accountsˀWindows Active Directory authentication (domain)

    • For Windows Active Directory authentication, a CIFS server must be created for the Storage Virtual Machine (SVM), and Windows domain users or groups must be mapped to access-control roles by using the security login create command with the -authmethod parameter set to domain for the cluster and SVM access.
      In addition, to authenticate Windows Active Directory domain users or groups for cluster access, a tunnel must be set up through a CIFS-enabled SVM.