Network and Storage Protocols

Single user cannot access Filer

tjohnston
3,546 Views

I'm running an FAS2020 filer on a Domain.  I've got the Filer on the domain so users in my Active Directory are authenticated with the filer.  I've got CIFS shares set up as well as other network drives.

I'm having problems with a single user not being able to access the Filer on multiple machines.  I'm using a GPO on the domain to set Registry entries for the drive mapping.  The mapped drives return an error "no mapping between account names and security IDs was done".  If I try to access the filer directly via UNC path it says "Windows cannot find <filer>". 

I've logged on the same machine with other Users and have no trouble, and logged onto other machines as the problem user and get the same problems.

I'm not having any trouble with any other users on the domain. There's nothing setup on the Netapp for any user specifically.  All of the authentication is done through the Active directory.  The user is having no problems connecting to Email, Sharepoint, or any other system on the Active Directory.

Any ideas on what I can do to fix this problem?

3 REPLIES 3

adamfox
3,546 Views

Try turning on the following option:

cifs.trace_login

Then watch the console when the user in question tries to login.  That information will be useful in troubleshooting this.

tjohnston
3,546 Views

Thanks for the tip Adam.  I logged into the Netapp via Telnet and saw an error message about the time being more than 5 minutes different that the Domain.  I reset the Filer clock to be in sync with the Domain and that seems to have resolved my issue.

I'm not 100% sure why a single user would be effected by this clock issue.  The only thing different about this one user was being out of the office all last week.  I'm hypothesizing that the clock got more than 5 minutes during the week the user was out, and other users weren't effected because they were logging in during that time.  Does that make since?

Regardless of why, reseting the clock seems to have resolved the issue.

adamfox
3,546 Views

Actually it does make sense as the other users were most likely already authenticated and were working off of cached credentials.  Your one user who was out of the office had to authenticate and with a > 5 minute clock skew from the AD server, Kerberos breaks.

Glad you're up and working.  In general, if you have an NTP service running on your AD server, it's not a bad idea to sync the NetApp to it.  Or they can both sync to a common NTP server.

Public