https://community.netapp.com/t5/ONTAP-Discussions/Cmode-8-3-multi-protocol-in-a-multi-domain-setup/m-p/99709#M20266 <P>Hi all,</P><P>&nbsp;</P><P>We have joined the 8.3 C-Mode simulator to a domain called A.DOMAIN.NET, additionally there is a LDAP binding for mapping linux accounts with AD accounts. This works perfect for accounts, which are in the same domain (a.domain.net), but unfortunately we have two separate domain forests with trusts between. The main part of the users are in different domains&nbsp;(e.g. in b.domain.net or c.domain.net) in the other forest:</P><P><IMG alt="23-01-2015 11-56-26.jpg" border="0" src="https://community.netapp.com/t5/image/serverpage/image-id/1901iFCB3B3B0B07C361D/image-size/large?v=mpbl-1&amp;px=-1" title="23-01-2015 11-56-26.jpg" /></P><P>&nbsp;</P><P>The mapping from a b.domain.net AD user to the UID works in theory, BUT Cmode cannot list the windows group memberships, so it stops completely:</P><P>&nbsp;</P><P><FONT face="courier new,courier">diag secd authentication show-creds -node node1 -vserver vserver1 -win-name username1@b.domain.net</FONT><BR /><FONT face="courier new,courier">Vserver: vserver1 (internal ID: 2)</FONT><BR /><BR /><FONT face="courier new,courier">Error: Get user credentials procedure failed</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp;&nbsp; 0] Windows user 'EUNET\username1' mapped to UNIX user</FONT><BR /><FONT face="courier new,courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'username1'</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp;&nbsp; 0] Determined UNIX id 50665 is UNIX user 'username1'</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp;&nbsp; 1] Connecting to LDAP (Active Directory) server</FONT><BR /><FONT face="courier new,courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; adserver.a.domain.net (0.0.0.0)</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp;&nbsp; 1] Failed to initiate Kerberos authentication. Trying NTLM.</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp; 10] Connected to LDAP (Active Directory) service on</FONT><BR /><FONT face="courier new,courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; adserver.a.domain.net</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp; 10] Using a new connection to adserver.a.domain.net</FONT><BR /><FONT face="courier new,courier">**[&nbsp;&nbsp;&nbsp; 17] FAILURE: Cannot get credentials for SID</FONT><BR /><FONT face="courier new,courier">**&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'S-1-5-21-329046322-854245398-839522115-1235216'. Cannot</FONT><BR /><FONT face="courier new,courier">**&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; determine AD domain name for 'EUNET'</FONT><BR /><BR /><FONT face="courier new,courier">Error: command failed: Failed to get user credentials. Reason: "SecD Error: cannot find domain mapping".</FONT></P><P>&nbsp;</P><P>On the other hand the mapping of a UID to a Windows AD account is not working, as Cmode is expecting that the user should be in the joined domain A.DOMAIN.NET. Mapping rules are not solving this problem, as the users are in different domains and it would not solve the group membership resolving.</P><P>&nbsp;</P><P>I think it has something to do with the mult-domain / trust setup - any AD/LDAP specialists knows more? Feedback would be much appreciated.</P><P>&nbsp;</P><P>Thanks &amp; regards</P><P>Phil</P> Mon, 26 Jan 2015 10:23:47 GMT philofiler 2015-01-26T10:23:47Z https://community.netapp.com/t5/ONTAP-Discussions/Cmode-8-3-multi-protocol-in-a-multi-domain-setup/m-p/99709#M20266 <P>Hi all,</P><P>&nbsp;</P><P>We have joined the 8.3 C-Mode simulator to a domain called A.DOMAIN.NET, additionally there is a LDAP binding for mapping linux accounts with AD accounts. This works perfect for accounts, which are in the same domain (a.domain.net), but unfortunately we have two separate domain forests with trusts between. The main part of the users are in different domains&nbsp;(e.g. in b.domain.net or c.domain.net) in the other forest:</P><P><IMG alt="23-01-2015 11-56-26.jpg" border="0" src="https://community.netapp.com/t5/image/serverpage/image-id/1901iFCB3B3B0B07C361D/image-size/large?v=mpbl-1&amp;px=-1" title="23-01-2015 11-56-26.jpg" /></P><P>&nbsp;</P><P>The mapping from a b.domain.net AD user to the UID works in theory, BUT Cmode cannot list the windows group memberships, so it stops completely:</P><P>&nbsp;</P><P><FONT face="courier new,courier">diag secd authentication show-creds -node node1 -vserver vserver1 -win-name username1@b.domain.net</FONT><BR /><FONT face="courier new,courier">Vserver: vserver1 (internal ID: 2)</FONT><BR /><BR /><FONT face="courier new,courier">Error: Get user credentials procedure failed</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp;&nbsp; 0] Windows user 'EUNET\username1' mapped to UNIX user</FONT><BR /><FONT face="courier new,courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'username1'</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp;&nbsp; 0] Determined UNIX id 50665 is UNIX user 'username1'</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp;&nbsp; 1] Connecting to LDAP (Active Directory) server</FONT><BR /><FONT face="courier new,courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; adserver.a.domain.net (0.0.0.0)</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp;&nbsp; 1] Failed to initiate Kerberos authentication. Trying NTLM.</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp; 10] Connected to LDAP (Active Directory) service on</FONT><BR /><FONT face="courier new,courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; adserver.a.domain.net</FONT><BR /><FONT face="courier new,courier">&nbsp; [&nbsp;&nbsp;&nbsp; 10] Using a new connection to adserver.a.domain.net</FONT><BR /><FONT face="courier new,courier">**[&nbsp;&nbsp;&nbsp; 17] FAILURE: Cannot get credentials for SID</FONT><BR /><FONT face="courier new,courier">**&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'S-1-5-21-329046322-854245398-839522115-1235216'. Cannot</FONT><BR /><FONT face="courier new,courier">**&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; determine AD domain name for 'EUNET'</FONT><BR /><BR /><FONT face="courier new,courier">Error: command failed: Failed to get user credentials. Reason: "SecD Error: cannot find domain mapping".</FONT></P><P>&nbsp;</P><P>On the other hand the mapping of a UID to a Windows AD account is not working, as Cmode is expecting that the user should be in the joined domain A.DOMAIN.NET. Mapping rules are not solving this problem, as the users are in different domains and it would not solve the group membership resolving.</P><P>&nbsp;</P><P>I think it has something to do with the mult-domain / trust setup - any AD/LDAP specialists knows more? Feedback would be much appreciated.</P><P>&nbsp;</P><P>Thanks &amp; regards</P><P>Phil</P> Mon, 26 Jan 2015 10:23:47 GMT https://community.netapp.com/t5/ONTAP-Discussions/Cmode-8-3-multi-protocol-in-a-multi-domain-setup/m-p/99709#M20266 philofiler 2015-01-26T10:23:47Z