https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146316#M348 <P>Thanks Vijay,&nbsp;</P> <P>as stated in my comments for Marcus it's able to display all the Groups Memberships that this particular account is part of.</P> <P>I've also opened a support request as well and will update the thread with the solution.</P> Thu, 31 Jan 2019 07:23:06 GMT SHASHIKG87 2019-01-31T07:23:06Z https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146150#M335 <P>Hello,</P> <P>I'm trying to setup Active Directory access across my NetApp environment.&nbsp;</P> <P>1. Created a domain tunnel which had CIFS enabled&nbsp;</P> <P>&nbsp; &nbsp; security login domain tunnel create -vserver&nbsp;SVM101 (CIFS enabled)</P> <P>2. Added user name with ssh, ontapi, http&nbsp;</P> <P>&nbsp; &nbsp; security login create -vserver&nbsp;nas101 DOMAIN\username -application ssh -authentication-method domain</P> <P>&nbsp; &nbsp;&nbsp;<SPAN>security login create -</SPAN>vserver<SPAN>&nbsp;nas101 DOMAIN\username -application ontapi -authentication-method domain</SPAN></P> <P><SPAN>&nbsp; &nbsp; security login create -vserver&nbsp;nas101 DOMAIN\username -application http -authentication-method domain</SPAN></P> <P><SPAN>3. Now both ssh, GUI works perfectly fine for this username&nbsp;</SPAN></P> <P><SPAN>4. But when I try to add a security group this doesn't seem to work, no members of that security groups are unable to login.</SPAN></P> <P><SPAN>5. Added Group Nmae&nbsp;with ssh, ontapi, http&nbsp;</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp;security login create -vserver&nbsp;nas101 DOMAIN\GROUP-NAME -application ssh -authentication-method domain</SPAN></P> <P><SPAN>&nbsp; &nbsp;&nbsp;&nbsp;security login create -vserver&nbsp;nas101 DOMAIN\GROUP-NAME -application ontapi -authentication-method domain</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp;security login create -vserver&nbsp;nas101 DOMAIN\GROUP-NAME -application http -authentication-method domain</SPAN></P> <P><SPAN>I'm not sure what exactly is the problem here as individual ad accounts are working but not group accounts.</SPAN></P> <P>&nbsp;</P> <P><SPAN>NetApp Version</SPAN></P> <P><SPAN>Release 9.4.P1</SPAN></P> <P>&nbsp;</P> <P><SPAN>Any articles related&nbsp;to this would be of great help.</SPAN></P> <P><SPAN>IMP:</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;services dns show -vserver&nbsp;abc101(SVM)</SPAN></P> <P><SPAN>has proper DNS, name servers, domains defined.</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; ntp server show&nbsp;</SPAN></P> <P><SPAN>&nbsp;has proper AD DC's configured.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks</SPAN></P> <P><SPAN>Shashi</SPAN></P> Thu, 24 Jan 2019 08:16:39 GMT https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146150#M335 SHASHIKG87 2019-01-24T08:16:39Z https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146301#M345 <P>Hi</P> <P>&nbsp;</P> <P>can you confirm the filer see the groups correctly and you input it in the same way?</P> <PRE>set diag; secd authentication show-creds -node NODE -vserver VSERVER -win-name DOMAIN\USER</PRE> <P>&nbsp;</P> <P>Gidi</P> Wed, 30 Jan 2019 14:55:06 GMT https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146301#M345 GidonMarcus 2019-01-30T14:55:06Z https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146311#M346 <P>Hi Shashi,</P> <P>There are few things we can check <BR />1) Do not add Active Directory group accounts in ONTAP that have a common (sub)set of users<BR />eg. when an Active Directory group is assigned the "admin" role and an user from that group is assigned a another role in ONTAP.</P> <P>2) Remove the Active Directory groups from ONTAP, and add them back with the domain identifier in upper case<BR />eg. If the domain is "DOMAIN" and user is "user1", the admin account configured at ONTAP as "domain\user1"</P> <P>3) we can check if we are able to the user information from DC:<BR />::&gt; set d -c off<BR />::*&gt; diag secd authentication show-creds -node &lt;node_hosting_lif&gt; -vserver &lt;svm&gt; -win-name &lt;domain\username&gt;</P> <P>&nbsp;</P> <P>The problem could be with the PAM&nbsp; modeule or with the DC connections. With debug logging done in PAM and in secd along with packet traces we can find why authentication for a user from the group added to security login is failing.</P> <P>I would suggest to open a support ticket for further investigation.&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> <P>Vijay</P> Thu, 31 Jan 2019 03:29:18 GMT https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146311#M346 Vijay_ramamurthy 2019-01-31T03:29:18Z https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146315#M347 <P>Thanks Marcus,</P> <P>I ran this command and it's able to show all windows user DOMAIN\username and list all Domain Memberships that this account is part of.&nbsp;</P> <P>It also displayed the security group that is been used for providing ssh, ontapi and http access.</P> <P>&nbsp;</P> <P>Note: Individual AD user accounts added still works perfectly. Only Security Group accounts failing to authenticate.</P> <P>&nbsp;</P> <P>Thanks</P> <P>Shashi</P> Thu, 31 Jan 2019 07:21:00 GMT https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146315#M347 SHASHIKG87 2019-01-31T07:21:00Z https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146316#M348 <P>Thanks Vijay,&nbsp;</P> <P>as stated in my comments for Marcus it's able to display all the Groups Memberships that this particular account is part of.</P> <P>I've also opened a support request as well and will update the thread with the solution.</P> Thu, 31 Jan 2019 07:23:06 GMT https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146316#M348 SHASHIKG87 2019-01-31T07:23:06Z https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146317#M349 <P>Welcome Shashi.</P> <P>Since the show-creds command worked , SVM-&gt; DC connections are fine.</P> <P>I would suggest to try the option 1) and 2) which i provided in my previous post and check if that resolves the issue.&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> <P>Vijay</P> Thu, 31 Jan 2019 07:58:26 GMT https://community.netapp.com/t5/Ask-The-Experts/AD-Security-Groups-unable-to-login-to-cluster-on-NetApp-9-4/m-p/146317#M349 Vijay_ramamurthy 2019-01-31T07:58:26Z