topic NFS authentication problem in ONTAP Discussions

NFS authentication problem

HUX20002000 — Wed, 23 Apr 2025 16:15:57 GMT

My NetApp (FAS2720 running ONTAP 9.13.1P8) is receiving this authetication error roughly every two hours. I think, but I haven't yet been able to confirm, that the request is coming from a Solaris system. It looks like, under the hood, the NetApp is mapping its *NIX login to a Windows user for the purpose of domain authentication and that it's getting most of the way there but then failing at the end (bold text).

Does anyone know how to resolve this?

Here's the error text (personal info redacted):

Severity: LOG_ERR

Message: secd.nfsAuth.noCifsCred: vserver (svmfile01) NFS authorization
cannot retrieve CIFS credentials. Error: Get user credentials procedure failed
[ 0 ms] Determined UNIX id 65534 is UNIX user 'pcuser'
[ 25] UNIX user 'pcuser' mapped to Windows user 'EXAMPLE\guest'
[ 26] Successfully connected to ip 192.168.1.5, port 445 using TCP
[ 32] Successfully authenticated with DC dc1.example.com
[ 41] Encountered NT error (NT_STATUS_PENDING) for SMB command Read
[ 45] Found Windows name 'EXAMPLE\guest'
[ 49] Successfully connected to ip 10.1.1.5, port 88 using TCP
**[ 59] FAILURE: Could not get credentials via S4U2Self based on full Windows
user name 'guest@EXAMPLE.COM'. Access denied.
[ 59] Could not get credentials for Windows user 'guest' or SID
'[SID]'

Description: This message occurs when an NFS authorization attempt fails because
of the inability of the system to retrieve a matching CIFS credential for use in
multi-protocol security operations.

Action: Examine the failure details to determine corrective action. This failure
usually occurs because the system is unable to communicate with Active
Directory.

Re: NFS authentication problem

chenguanghui — Thu, 24 Apr 2025 06:06:58 GMT

hello:

Use the command `vserver export-policy check-access -vserver <vserver> -volume <volume> -client-ip <clientIP> -auth <auth_type> -proto <proto> -access-type <type>` to check if there is an export rule that allows the client to obtain access rights. This link can help you quickly troubleshoot the problem.

https://kb-cn.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/secd_nfsAuth_noCifsCred_error_when_accessing_an_NTFS_secured_volume_via_NFS_in_ONTAP

Best regards.

Re: NFS authentication problem

parisi — Thu, 24 Apr 2025 15:28:08 GMT

A few things here...

- If the UNIX user attempting access is 65534 on the client, then that translates to the default UNIX user pcuser, which will not map to a valid Windows user in most cases

- The UNIX user 65534 can sometimes be a case of the export policy rule squashing root access to anonymous. Check your rules to see how they handle root. If you want root to be root, set superuser to "any."

- If this happens every two hours, there's likely a scheduled job running. The client IP address should be in the error being sent, so check the client for what it is doing.