Hi

can you confirm the filer see the groups correctly and you input it in the same way?

set diag; secd authentication show-creds -node NODE  -vserver  VSERVER -win-name DOMAIN\USER

Gidi

Hi Shashi,

There are few things we can check
1) Do not add Active Directory group accounts in ONTAP that have a common (sub)set of users
eg. when an Active Directory group is assigned the "admin" role and an user from that group is assigned a another role in ONTAP.

2) Remove the Active Directory groups from ONTAP, and add them back with the domain identifier in upper case
eg. If the domain is "DOMAIN" and user is "user1", the admin account configured at ONTAP as "domain\user1"

3) we can check if we are able to the user information from DC:
::> set d -c off
::*> diag secd authentication show-creds -node <node_hosting_lif> -vserver <svm> -win-name <domain\username>

The problem could be with the PAM  modeule or with the DC connections. With debug logging done in PAM and in secd along with packet traces we can find why authentication for a user from the group added to security login is failing.

I would suggest to open a support ticket for further investigation. 

Thanks

Vijay

Thanks Marcus,

I ran this command and it's able to show all windows user DOMAIN\username and list all Domain Memberships that this account is part of. 

It also displayed the security group that is been used for providing ssh, ontapi and http access.

Note: Individual AD user accounts added still works perfectly. Only Security Group accounts failing to authenticate.

Thanks

Shashi

Thanks Vijay, 

as stated in my comments for Marcus it's able to display all the Groups Memberships that this particular account is part of.

I've also opened a support request as well and will update the thread with the solution.

Welcome Shashi.

Since the show-creds command worked , SVM-> DC connections are fine.

I would suggest to try the option 1) and 2) which i provided in my previous post and check if that resolves the issue. 

Thanks

Vijay