Re: unable to add domainuser(s) to netapp filer

CHRISLAWLOR · ‎2012-04-12

Hi

i am receiving an error message of "error: user does not exist" when trying to add a user (snapdriveservice) to the domain users group on a filer

using the following command "useradmin domainuser add DOMAIN.com\snapdriveservice -g administrators"

i have successfully added the domain admin account (DOMAIN\administrator) account to the group administrators on the filer already !

i created a second account called "test" and had the same issue as above

i tried the cifs lookup command on the snapdriveservice account and it replies 'lookup failed" - however it provides the SID for the administrator account

however, when testing i was able to add the filer to the domain using the snapdriveservice account so the filer can clearly communicate with it !

any ideas what needs to be done to the snapdriveservice account before my filer will recognise it ?

thanks

scottgelb · ‎2012-04-12

Is that service account on the domain or a local NetApp user? If a local netapp user then if you created it with -g administrators it already is in the administrator group if you look at useradmin user list and it shows as an administrator.

CHRISLAWLOR · ‎2012-04-12

hi

its a domain account

the only account i can successfully add (and do the CIFS lookup command on) is the domain\administrator account

scottgelb · ‎2012-04-12

What is the output of “cifs domaininfo” ?

CHRISLAWLOR · ‎2012-04-12

this is a demo system BTW

cnetappDR> cifs domaininfo
NetBios Domain:           CLADEMO
Windows 2003 Domain Name: clademo.com
Type:                     Windows 2003
Filer AD Site:            Default-First-Site-Name

Not currently connected to any DCs
Preferred Addresses:
                          None
Favored Addresses:
                          192.168.10.1    CLADC            PDCBROKEN
Other Addresses:
                          None

Connected AD LDAP Server: \\cladc.clademo.com
Preferred Addresses:
                          None
Favored Addresses:
                          192.168.10.1
                           cladc.clademo.com
Other Addresses:
                          None
cnetappDR>

scottgelb · ‎2012-04-12

Not connected to any DCs… does “cifs resetdc” fix that? It sees the LDAP server but no AD..not sure why.

CHRISLAWLOR · ‎2012-04-12

hi

so if i do that i get the below

interesting about the TCP connection

cnetappDR>
cnetappDR> cifs resetdc
Thu Apr 12 16:34:07 BST [auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for CLADEMO.
Thu Apr 12 16:34:07 BST [auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using DNS site query (Default-First-Site-Name)..
Thu Apr 12 16:34:07 BST [auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using generic DNS query.
Thu Apr 12 16:34:07 BST [auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for CLADEMO complete. 1 unique addresses found.
Thu Apr 12 16:34:07 BST [cifs.server.infoMsg:info]: CIFS: Warning for server \\CLADC: Could not make TCP connection.
Thu Apr 12 16:34:07 BST [auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for CLADEMO.COM.
Thu Apr 12 16:34:07 BST [auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 1 AD LDAP server addresses using DNS site query (Default-First-Site-Name).
Thu Apr 12 16:34:07 BST [auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 1 AD LDAP server addresses using generic DNS query.
Thu Apr 12 16:34:07 BST [auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD LDAP server address discovery for CLADEMO.COM complete. 1 unique addresses found.

THEN ANOTHER CIFS DOMAININFO

cnetappDR>
cnetappDR> cifs domaininfo
NetBios Domain:           CLADEMO
Windows 2003 Domain Name: clademo.com
Type:                     Windows 2003
Filer AD Site:            Default-First-Site-Name

Not currently connected to any DCs
Preferred Addresses:
                          None
Favored Addresses:
                          192.168.10.1    CLADC            PDCBROKEN
Other Addresses:
                          None

Connected AD LDAP Server: \\cladc.clademo.com
Preferred Addresses:
                          None
Favored Addresses:
                          192.168.10.1
                           cladc.clademo.com
Other Addresses:
                          None
cnetappDR>

scottgelb · ‎2012-04-12

Looks like it fixed it… does cifs lookup work now? Could also be the 5 minute time difference but wouldn’t authenticate at all if more than a 5 min skew

CHRISLAWLOR · ‎2012-04-12

hi

not sure - it still says not connected to any DCs and the lookup doesnt work

its this bit highlighed in bold that interests me - as this is the end of the DC connection section and it states that it could not make TCP connection

this is a brand new DC - i created earlier today - no firewalls etc

Thu Apr 12 16:34:07 BST [auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for CLADEMO.

Thu Apr 12 16:34:07 BST [auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using DNS site query (Default-First-Site-Name)..

Thu Apr 12 16:34:07 BST [auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using generic DNS query.

Thu Apr 12 16:34:07 BST [auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for CLADEMO complete. 1 unique addresses found.

Thu Apr 12 16:34:07 BST [cifs.server.infoMsg:info]: CIFS: Warning for server \\CLADC: Could not make TCP connection.

Thu Apr 12 16:34:07 BST [auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for CLADEMO.COM.

Thu Apr 12 16:34:07 BST [auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 1 AD LDAP server addresses using DNS site query (Default-First-Site-Name).

Thu Apr 12 16:34:07 BST [auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 1 AD LDAP server addresses using generic DNS query.

Thu Apr 12 16:34:07 BST [auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD LDAP server address discovery for CLADEMO.COM complete. 1 unique addresses found.

aborzenkov · ‎2012-04-12

It does not really look good. And "cifs testdc"?

aborzenkov · ‎2012-04-12

What is the value of options wafl.nt_admin_priv_map_to_root and wafl.default_unix_user and content of /etc/passwd?

CHRISLAWLOR · ‎2012-04-12

see below

cnetappDR>

cnetappDR> options wafl.nt_admin_priv_map_to_root

wafl.nt_admin_priv_map_to_root off

cnetappDR> options wafl.default_unix_user

wafl.default_unix_user pcuser

cnetappDR> rdfile /etc/passwd

root:_J9..15uY/vxcJsT398Y:0:1::/:

pcuser::65534:65534::/:

nobody::65535:65535::/:

ftp::65533:65533:FTP Anonymous:/home/ftp:

cnetappDR>

aborzenkov · ‎2012-04-12

OK, so it is not the problem I suspected (lack of NT-to-Unix mapping for non-admin users).

scottgelb · ‎2012-04-12

If you cifs terminate, can you rejoin the domain with cifs setup? It shouldn't work and might give some errors that help troubleshoot... although it did join before so worth trying.

CHRISLAWLOR · ‎2012-04-12

hi yes

and i CAN join the domain using the domain\snapdriveservice user !! or the domain\administrator

just can't add the snapdriveservice user to the domain group or do the cifs lookup with it (or any other user other than the domain\administrator)

CHRISLAWLOR · ‎2012-04-12

the cifs testdc output is

cnetappDR> cifs testdc
Using Established configuration
Current Mode of NBT is B Mode

Netbios scope ""
Registered names...
CLADEMO < 0> Broadcast

Testing all Primary Domain Controllers
found 1 unique addresses

..Not able to communicate with PDC 192.168.10.1
trying 192.168.10.1...192.168.10.1 is alive

Testing all Domain Controllers
found 1 unique addresses

..Not able to communicate with DC 192.168.10.1
trying 192.168.10.1...192.168.10.1 is alive

john_higgins · ‎2012-04-12

Hi Chris,

Just a thought but the user name is 16 characters long and have seen issues with filers when names that long, try changing the snapdriveservice domain account to say snapdrvsvc and see if it can then be added.

J

aborzenkov · ‎2012-04-12

Well ... as long as NetApp cannot speak with DC, it also cannot resolve names. You have to solve this issue first.

CHRISLAWLOR · ‎2012-04-12

hi thanks jon

i have a user called test which i tried the same thing - and the same result unfortunatley

chris

john_higgins · ‎2012-04-13

Things I would check;

Check time is within 5 mins, is time using GMT (will be 1 hour out now), usually use Europe/London and then time should match domain time.

Add a server to domain and see if that can be managed ok from domain such as adding cifs shares

Check IP 6 is not enabled anywhere

disable all interfaces on filer except the management and join domain again.

put filer in workgroup mode and delete its domain account and rejoin domain

As previously stated if cannot connect to a DC then nothing going to work