https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Inconsistent-Behavior-AD-Authenticated-vServer-and-Domain-Tunnel/m-p/152367#M27357 <P>Hi</P> <P>&nbsp;</P> <P>There's a few commands here to clear the different caches.</P> <P><A href="https://kb.netapp.com/app/answers/answer_view/a_id/1002483/loc/en_US" target="_blank">https://kb.netapp.com/app/answers/answer_view/a_id/1002483/loc/en_US</A> -&nbsp; What is the command to expire credential cache in clustered Data ONTAP 8.2.1?&nbsp;</P> Mon, 18 Nov 2019 14:44:28 GMT GidonMarcus 2019-11-18T14:44:28Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Inconsistent-Behavior-AD-Authenticated-vServer-and-Domain-Tunnel/m-p/152275#M27339 <P>Hello,</P> <P>&nbsp;</P> <P>We're using a vServer that's authenticated to our domain controller with AD integration. We create a domain tunnel and then give users in a specified group login rights to the cluster.</P> <P>&nbsp;</P> <P>We're seeing that when we remove a user from the same group that was given cluster login rights (while forcing replication on domain controller), the user is still able to login for about 20 minutes afterward.&nbsp;</P> <P>&nbsp;</P> <P>When we disable the account the intended effect is immediate. The user cannot login.</P> <P>&nbsp;</P> <P>Also, if we remove the user from the group, disable the account, the user will not be able to login. But as soon as it is re-enabled they can login.</P> <P>&nbsp;</P> <P>Every command I've tried for clearing kerberos cache or otherwise doesn't affect the results. Anyone have advice on a command that works to do this?</P> <P>&nbsp;</P> <P>Also, I want to point out that I have verified that the forced AD replication is occuring immediately on the secondary domain controllers. So I believe this to be&nbsp; a problem on the NetApp side.</P> <P>&nbsp;</P> <P>Thanks</P> Wed, 04 Jun 2025 12:08:45 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Inconsistent-Behavior-AD-Authenticated-vServer-and-Domain-Tunnel/m-p/152275#M27339 StorageNob 2025-06-04T12:08:45Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Inconsistent-Behavior-AD-Authenticated-vServer-and-Domain-Tunnel/m-p/152367#M27357 <P>Hi</P> <P>&nbsp;</P> <P>There's a few commands here to clear the different caches.</P> <P><A href="https://kb.netapp.com/app/answers/answer_view/a_id/1002483/loc/en_US" target="_blank">https://kb.netapp.com/app/answers/answer_view/a_id/1002483/loc/en_US</A> -&nbsp; What is the command to expire credential cache in clustered Data ONTAP 8.2.1?&nbsp;</P> Mon, 18 Nov 2019 14:44:28 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Inconsistent-Behavior-AD-Authenticated-vServer-and-Domain-Tunnel/m-p/152367#M27357 GidonMarcus 2019-11-18T14:44:28Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Inconsistent-Behavior-AD-Authenticated-vServer-and-Domain-Tunnel/m-p/152449#M27370 <P>Thanks for that, unfortunately none of those commands worked. Users removed from a security group could still log in for upt o 20 minutes on our NetApp systems.</P> <P>&nbsp;</P> <P>I have a ticket open with support but I wasn't really getting the answers I was looking for so I came here. So far removing the security group entirely from the vsadmin role and then re-adding it back in is all I can get working. But that seems to defy the point.</P> <P>&nbsp;</P> <P>security login delete -vserver &lt;cluster&gt; -user-or-group-name "&lt;domain&gt;\<SPAN style="display: inline !important; float: none; background-color: transparent; color: #3e3e3e; cursor: text; font-family: 'Source Sans Pro','Lato','Helvetica Neue','Helvetica','Arial','sans-serif'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 27.42px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;">securitygroupname</SPAN>" -application ssh -authentication-method domain<BR />security login delete -vserver &lt;cluster&gt; -user-or-group-name "&lt;domain&gt;\<SPAN style="display: inline !important; float: none; background-color: transparent; color: #3e3e3e; cursor: text; font-family: 'Source Sans Pro','Lato','Helvetica Neue','Helvetica','Arial','sans-serif'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 27.42px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;">securitygroupname</SPAN>" -application http -authentication-method domain<BR />security login delete -vserver &lt;cluster&gt; -user-or-group-name "&lt;domain&gt;\<SPAN style="display: inline !important; float: none; background-color: transparent; color: #3e3e3e; cursor: text; font-family: 'Source Sans Pro','Lato','Helvetica Neue','Helvetica','Arial','sans-serif'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 27.42px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;">securitygroupname</SPAN>" -application ontapi -authentication-method domain<BR />security login create -vserver &lt;cluster&gt; -user-or-group-name "&lt;domain&gt;\<SPAN style="display: inline !important; float: none; background-color: transparent; color: #3e3e3e; cursor: text; font-family: 'Source Sans Pro','Lato','Helvetica Neue','Helvetica','Arial','sans-serif'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 27.42px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;">securitygroupname</SPAN>" -application ssh -authentication-method domain<BR />security login create -vserver &lt;cluster&gt; -user-or-group-name "&lt;domain&gt;\<SPAN style="display: inline !important; float: none; background-color: transparent; color: #3e3e3e; cursor: text; font-family: 'Source Sans Pro','Lato','Helvetica Neue','Helvetica','Arial','sans-serif'; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 27.42px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;">securitygroupname</SPAN>" -application http -authentication-method domain<BR />security login create -vserver &lt;cluster&gt; -user-or-group-name "&lt;domain&gt;\securitygroupname" -application ontapi -authentication-method domain</P> <P>&nbsp;</P> <P>I think that's overkill though.</P> Wed, 20 Nov 2019 12:10:18 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Inconsistent-Behavior-AD-Authenticated-vServer-and-Domain-Tunnel/m-p/152449#M27370 StorageNob 2019-11-20T12:10:18Z