Network and Storage Protocols

CIFS SID to UID , Linux permission denied.

ZELJKO_MIL
4,702 Views

Greetings people.

I have a AD forest with several DCs. In one location one of the DCs were tombstoned so I forced a removal of this DC and promoted another one. This DC has no FSMO roles holding.

After this action, maybe it is not related the access from the Linux machines to the CIFS shares , mounted like NFS is not possible. The filers that are having problems are connected on the PDC with all roles that is not affected with demotion.

All of the Centos Linux servers are joined in the domain Forest. And all the linux clients could successfully access the CIFS shares since yesterday.

I know that the best practice is not to use the CIFS shares for Windows and Linux access, but this was designd before me, so I have inherited this setup.

The netapp volume is configured with NTFS security style. And also an export is configured for the NFS share for the same CIFS share.

On the linux side, when I use the ID command, the UID and GID from the DC domain Unix attribute is read ok. I see the numbers. But when I access the NFS shares I get the permission denied.

I am using the AUTOFS on the linux side. From the windows side everything is working ok. From the linux side the "pure" nfs shares-dedicated are functioning ok.

When I do the cifs testdc and cifs resetdc and cifs domaininfo everything is ok there.The filer is connected succesfully to the LDAP server and can see all the domain controllers.

I did not change anything in the /etc/usermap.cfg file, from before settings that worked.

This could be some mapping synchronization from Netapp and AD for the Unix/Linux users.
Or something else.

I have seend in the ldap options that a dedicated user accound is created on Netapp. And this configuration I did not change also.

Any ideas would be appreciated.

 

I did rejoining to the domain the filer, with CIFS setup. Also I have checked the usermap.cfg file it has the mapping there from before.

The linux boxes succcessfully connect to the domain and get the UID from the AD Unix attributes, and also the netapp filer chooses the DC.

Also I checked the qtrees and the volumes and the shares are not using a mixed style, they are eather UNIX or NTFS.

Some change in AD, or something needs to be resynced. I did manage to flush the cifs cache, and also when I check the with wcc -s user01 I get his info from AD

with every user having a UID of UNIX uid = 65534, as a pc user. Also I do not get them with wcc -u, no passwd entry.

Any help would be appreciated.

 

Thanks in advance

3 REPLIES 3

ZELJKO_MIL
4,696 Views

I did also the rejoin to AD. Testdc and prefdc are working. I checked the /etc/usermap.cfg file but there is everything ok configured. When Linux users want to access the Netapp exports, they use a mechanism to conver the UIDs to SIDs and vice versa, but then is when I get the permission denied , because I think that the Netapp cannot get this info from the AD. I was thinking that my Data Ontap 8.03 is not compatible any more with the 2008 R2 forest, but that is not the case I think. Also what I did is to flush the cifs sid cache, and when I do the wcc -s user01 I get the info from AD but when I do wcc -u user01 I get no passwd entry. The linux domain users have a unix attribute in the Active Directory with the uui numbe and shell. This is not changed. Maybe something in the AD Forest needs to be modified, or something on the Netapp side updated or resynced.

ZELJKO_MIL
4,680 Views

One more update, I have noticed that the /etc/passwd file is empty. It cannot be synced with the AD.

Is there some options to find this.

aborzenkov
4,676 Views

I have noticed that the /etc/passwd file is empty. It cannot be synced with the AD. Is there some options to find this.

No. And never existed. /etc/passwd is for local users; if you want to use AD you need to turn on LDAP for user UNIX lookup.

Public