Re: AD Security Groups unable to login to cluster on NetApp 9.4

SHASHIKG87 · ‎2019-01-24

Hello,

I'm trying to setup Active Directory access across my NetApp environment.

1. Created a domain tunnel which had CIFS enabled

security login domain tunnel create -vserver SVM101 (CIFS enabled)

2. Added user name with ssh, ontapi, http

security login create -vserver nas101 DOMAIN\username -application ssh -authentication-method domain

security login create -vserver nas101 DOMAIN\username -application ontapi -authentication-method domain

security login create -vserver nas101 DOMAIN\username -application http -authentication-method domain

3. Now both ssh, GUI works perfectly fine for this username

4. But when I try to add a security group this doesn't seem to work, no members of that security groups are unable to login.

5. Added Group Nmae with ssh, ontapi, http

security login create -vserver nas101 DOMAIN\GROUP-NAME -application ssh -authentication-method domain

security login create -vserver nas101 DOMAIN\GROUP-NAME -application ontapi -authentication-method domain

security login create -vserver nas101 DOMAIN\GROUP-NAME -application http -authentication-method domain

I'm not sure what exactly is the problem here as individual ad accounts are working but not group accounts.

NetApp Version

Release 9.4.P1

Any articles related to this would be of great help.

IMP:

services dns show -vserver abc101(SVM)

has proper DNS, name servers, domains defined.

ntp server show

has proper AD DC's configured.

Thanks

Shashi

GidonMarcus · ‎2019-01-30

Hi

can you confirm the filer see the groups correctly and you input it in the same way?

set diag; secd authentication show-creds -node NODE  -vserver  VSERVER -win-name DOMAIN\USER

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

SHASHIKG87 · ‎2019-01-30

Thanks Marcus,

I ran this command and it's able to show all windows user DOMAIN\username and list all Domain Memberships that this account is part of.

It also displayed the security group that is been used for providing ssh, ontapi and http access.

Note: Individual AD user accounts added still works perfectly. Only Security Group accounts failing to authenticate.

Thanks

Shashi

Vijay_ramamurthy · ‎2019-01-30

Hi Shashi,

There are few things we can check
1) Do not add Active Directory group accounts in ONTAP that have a common (sub)set of users
eg. when an Active Directory group is assigned the "admin" role and an user from that group is assigned a another role in ONTAP.

2) Remove the Active Directory groups from ONTAP, and add them back with the domain identifier in upper case
eg. If the domain is "DOMAIN" and user is "user1", the admin account configured at ONTAP as "domain\user1"

3) we can check if we are able to the user information from DC:
::> set d -c off
::*> diag secd authentication show-creds -node <node_hosting_lif> -vserver <svm> -win-name <domain\username>

The problem could be with the PAM modeule or with the DC connections. With debug logging done in PAM and in secd along with packet traces we can find why authentication for a user from the group added to security login is failing.

I would suggest to open a support ticket for further investigation.

Thanks

Vijay

SHASHIKG87 · ‎2019-01-30

Thanks Vijay,

as stated in my comments for Marcus it's able to display all the Groups Memberships that this particular account is part of.

I've also opened a support request as well and will update the thread with the solution.

Vijay_ramamurthy · ‎2019-01-30

Welcome Shashi.

Since the show-creds command worked , SVM-> DC connections are fine.

I would suggest to try the option 1) and 2) which i provided in my previous post and check if that resolves the issue.

Thanks

Vijay