I'm trying to setup our new FAS2750 (ONTAP 9.6), but I'm having some troubles with quota and groups. Our local netapp support/partnet has installed and configured our system and joined to our domain (called fea-rp.local). Everything is fine, we can create CIF's chares's, set permissions (users and groups) and login into our ONTAP using AD users.

Now I'm tryng to create a qtree and then create a group quota for this qtree, but it doesn't work. Always get this error:


Quota creation failed on '/vol/vol_dados_fearp/qtree_grupos'
Reason : Failed to create quota.
ONTAP API Failed: Group name sti not found. Reason: SecD Error: object not found.


'sti' is group name. I've also tried with "FEA-RP\Sti", still not working, but different error:

Quota creation failed on '/vol/vol_dados_fearp/qtree_grupos'
Reason : Failed to create quota.
ONTAP API Failed: Target for a group quota cannot be a Windows account.


Note that we only have a group salled 'sti', not an user.




We need to check the secd logs, could you give us the output of this command

From clustershell:


::> event log show -event secd*

Question to you:
Do you have iSCSI and NAS interface in a same vserver where this share/qree is created ?


Will need output of this:
::> network interface show -role data -vserver <vserver_name>



Event log:


Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
10/2/2019 12:11:27  Clt_FEARP_01_1   ERROR         secd.unixLookupFailure: vserver (FEARP_01) UNIX lookup failure. Error: Acquire UNIX credentials procedure failed
  [  2 ms] Entry for user-name: jmaurin not found in the current source: FILES. Entry for user-name: jmaurin not found in any of the available sources
**[     3] FAILURE: Unable to retrieve UID for UNIX user jmaurin
10/2/2019 11:57:24  Clt_FEARP_01_1   ERROR         secd.unixLookupFailure: vserver (FEARP_01) UNIX lookup failure. Error: Acquire UNIX credentials procedure failed
  [  1 ms] Entry for group-name: sti not found in the current source: FILES. Entry for group-name: sti not found in any of the available sources
**[     2] FAILURE: Unable to retrieve GID for UNIX groupname sti
10/2/2019 11:33:45  Clt_FEARP_01_1   ERROR         secd.unixLookupFailure: vserver (FEARP_01) UNIX lookup failure. Error: Acquire UNIX credentials procedure failed
  [ 24 ms] Entry for group-name: sti not found in the current source: FILES. Entry for group-name: sti not found in any of the available sources
**[    29] FAILURE: Unable to retrieve GID for UNIX groupname sti


Question to you:
Do you have iSCSI and NAS interface in a same vserver where this share/qree is created ?

No. iSCSI and NFS use separeted interface/VLAN each. CIF's is another thing: I have two different VLAN's for access: one is network (which is the same of management interface, but uses 'data' ports and not management port) and other is (this one is a valid IP). My AD is reachable by this second option, a valid IP. My ONTAP has gateway configured only for this network (valid ip), none of invalid networks/other has gateway defined.


Clt_FEARP_01::> network interface show -role data -vserver FEARP_01
            Logical    Status     Network            Current       Current Is
Vserver     Interface  Admin/Oper Address/Mask       Node          Port    Home
----------- ---------- ---------- ------------------ ------------- ------- ----
                         up/up   Clt_FEARP_01_1
                                                                   e0f-209 true
                         up/up  Clt_FEARP_01_1
                                                                   e0f-239 true
                         up/up  Clt_FEARP_01_1
                                                                   a0a-241 true
                         up/up  Clt_FEARP_01_2
                                                                   a0a-241 true
                         up/up  Clt_FEARP_01_1
                                                                   a0a-242 true
                         up/up  Clt_FEARP_01_2
                                                                   a0a-242 true
                         up/up  Clt_FEARP_01_1
                                                                   a0a-246 true
                         up/up  Clt_FEARP_01_1
                                                                   e0M     true
                         up/up  Clt_FEARP_01_1
                                                                   a0a-243 true
9 entries were displayed.

Note: I'm planing to use this qtree/cif's/volume with both windows and linux clients/servers.



Ok, I found that CIF's doesn't use the same connection that management interface uses for auth. I need to configure LDP Client in my SVM. 

So, I've setup my LDAP configuration and tested with "vserver services name-service ldap check -vserver FEARP_01". My connection looks fine now, but still not getting account/groups objects. I found this article:


The problem is that I my ONTAP doesn't have command 'getxxbyyy'...or better, doesn't have any 'get<anythin>' command, so I can't test query. Is there any other way, or what am I missing?

I would like to test my LDAP query from ONTAP....I think it's a permission problem now. Also, ONTAP does recursive queries while looking for accounts/groups?

I'm using my first level as BaseDN.


For mixed environment (win/unix) you will need to set up mapping.


Test connection:
[set diag]
:*> diag secd authentication show-creds -node <node> -vserver <vserver> -unix-user-name xxx

FAQ: Understanding name-mapping in a multiprotocol environment


Creating a name mapping

Note that you can use name mapping only for users, not for groups. It is not possible to map CIFS users to a group ID (GID), or UNIX users to a group in the Active Directory (AD). Similarly, it is not possible to map a GID to a group or a user in AD, or an AD group to a UNIX UID or GID.


Ok I've changed to NTFS to simplify things.....but still with same problem.


I've tried both test commands, only one works:

Clt_FEARP_01::*> diag secd authentication show-creds -node Clt_FEARP_01_1 -vserver FEARP_01 -win-name jmaurin

 UNIX UID: root <> Windows User: FEA-RP\jmaurin (Windows Domain User)

 GID: daemon
 Supplementary GIDs:

 Primary Group SID: FEA-RP\Domain Users (Windows Domain group)

 Windows Membership:
  FEA-RP\Domain Users (Windows Domain group)
  FEA-RP\Domain Admins (Windows Domain group)
  FEA-RP\StorageAdm (Windows Domain group)
  FEA-RP\brigada (Windows Domain group)
  FEA-RP\sti (Windows Domain group)
  FEA-RP\Administradores Locais (Windows Domain group)
  FEA-RP\AppVAdministrators (Windows Domain group)
  FEA-RP\radius (Windows Domain group)
  FEA-RP\AppVUsers (Windows Domain group)
  FEA-RP\funcs (Windows Domain group)
  FEA-RP\reservas (Windows Domain group)
  FEA-RP\Aplicacoes (Windows Domain group)
  FEA-RP\Enterprise Admins (Windows Domain group)
  FEA-RP\Schema Admins (Windows Domain group)
  FEA-RP\Denied RODC Password Replication Group (Windows Alias)
  Service asserted identity (Windows Well known group)
  BUILTIN\Users (Windows Alias)
  BUILTIN\Administrators (Windows Alias)
 User is also a member of Everyone, Authenticated Users, and Network Users

 Privileges (0x22b7):

This command returns the same error while I try to add quota for user:

Clt_FEARP_01::*> getxxbyyy getpwbyname -node Clt_FEARP_01_1 -vserver FEARP_01 -username jmaurin -show-source true
  (vserver services name-service getxxbyyy getpwbyname)

Error: command failed: Failed to resolve jmaurin. Reason: Entry not found for "username: jmaurin".

I'm not sure what's wrng, since first command could find my user object and second command can't. I think it isn't a connection problem (with my AD), right?



ok. Could you give us this output:


::>vserver cifs options show -vserver vserver_name
::>vserver services unix-user show -vserver vserver_name
::> vserver name-mapping show -vserver vserver_name -direction unix-win



Clt_FEARP_01::*> vserver cifs options show -vserver FEARP_01

Vserver: FEARP_01

                            Client Session Timeout: 900
                              Copy Offload Enabled: true
                                Default Unix Group: -
                                 Default Unix User: pcuser
                                   Guest Unix User: -
               Are Administrators mapped to 'root': true
           Is Advanced Sparse File Support Enabled: true
                  Is Fsctl File Level Trim Enabled: true
                  Direct-Copy Copy Offload Enabled: true
                           Export Policies Enabled: false
            Grant Unix Group Permissions to Others: false
                          Is Advertise DFS Enabled: false
     Is Client Duplicate Session Detection Enabled: true
               Is Client Version Reporting Enabled: true
                                    Is DAC Enabled: false
                      Is Fake Open Support Enabled: true
                         Is Hide Dot Files Enabled: false
                              Is Large MTU Enabled: false
                             Is Local Auth Enabled: true
                 Is Local Users and Groups Enabled: true
                           Is Multichannel Enabled: true
            Is NetBIOS over TCP (port 139) Enabled: true
               Is NBNS over UDP (port 137) Enabled: false
                               Is Referral Enabled: false
             Is Search Short Names Support Enabled: false
  Is Trusted Domain Enumeration And Search Enabled: true
                        Is UNIX Extensions Enabled: false
          Is Use Junction as Reparse Point Enabled: true
    Maximum Length of Data Zeroed by One Operation: 32MB
                               Max Multiplex Count: 255
          Max Connections per Multichannel Session: 32
                 Max LIFs per Multichannel Session: 256
              Max Same User Session Per Connection: 2500
                 Max Same Tree Connect Per Session: 5000
                      Max Opens Same File Per Tree: 1000
                          Max Watches Set Per Tree: 500
                   Is Path Component Cache Enabled: true
Is Path Component Cache Symlink Resolution Enabled: true
              Path Component Cache Maximum Entries: 5000
        Path Component Cache Entry Expiration Time: 15000
      Path Component Cache Symlink Expiration Time: 15000
   Path Component Cache Maximum Session Token Size: 1000
    NT ACLs on UNIX Security Style Volumes Enabled: true
                                  Read Grants Exec: disabled
                                  Read Only Delete: disabled
                  Reported File System Sector Size: 4096
                                Restrict Anonymous: no-restriction
                              Shadowcopy Dir Depth: 5
                                Shadowcopy Enabled: true
                                      SMB1 Enabled: false
                  Max Buffer Size for SMB1 Message: 65535
                                      SMB2 Enabled: true
                                      SMB3 Enabled: true
                                    SMB3.1 Enabled: true
            Map Null User to Windows User or Group: -
                                      WINS Servers: -
         Report Widelink as Reparse Point Versions: SMB1
                              Max Credits to Grant: 128
Clt_FEARP_01::*> vserver services unix-user show -vserver FEARP_01
               User            User   Group  Full
Vserver        Name            ID     ID     Name
-------------- --------------- ------ ------ --------------------------------
FEARP_01       nobody          65535  65535
FEARP_01       pcuser          65534  65534
FEARP_01       root            0      1
3 entries were displayed.

Clt_FEARP_01::*> vserver name-mapping show -vserver FEARP_01  -direction unix-win

Vserver:   FEARP_01
Direction: unix-win
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: (.+)
                                          Replacement: FEA-RP\\\1



I have mapped all win-users to 'pcuser'. This is right?

Also, why I need to map, since I'm using only NTFS in security of my volume?


Solved = hurray 🙂


I was just reading this when you replied:


The user-mapping parameter is set to "on" in the quota rule for the user.


I agree, with NTFS security-style, it should only need mapping of unix-user to Windows (bydefault unix-user 'pcuser ' is defined in 8.3 later)..I am thinking now.
