General Discussion

Can't create group quota

Jonis
6,000 Views

Hi.

 

I'm trying to setup our new FAS2750 (ONTAP 9.6), but I'm having some troubles with quota and groups. Our local netapp support/partnet has installed and configured our system and joined to our domain (called fea-rp.local). Everything is fine, we can create CIF's chares's, set permissions (users and groups) and login into our ONTAP using AD users.

Now I'm tryng to create a qtree and then create a group quota for this qtree, but it doesn't work. Always get this error:

 

Quota creation failed on '/vol/vol_dados_fearp/qtree_grupos'
Reason : Failed to create quota.
ONTAP API Failed: Group name sti not found. Reason: SecD Error: object not found.

 

'sti' is group name. I've also tried with "FEA-RP\Sti", still not working, but different error:

Quota creation failed on '/vol/vol_dados_fearp/qtree_grupos'
Reason : Failed to create quota.
ONTAP API Failed: Target for a group quota cannot be a Windows account.

 

Note that we only have a group salled 'sti', not an user.

 

9 REPLIES 9

Ontapforrum
5,992 Views

We need to check the secd logs, could you give us the output of this command


From clustershell:

 

::> event log show -event secd*


Question to you:
Do you have iSCSI and NAS interface in a same vserver where this share/qree is created ?

 

Will need output of this:
::> network interface show -role data -vserver <vserver_name>

Jonis
5,967 Views

Sure!

Event log:

 

Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
10/2/2019 12:11:27  Clt_FEARP_01_1   ERROR         secd.unixLookupFailure: vserver (FEARP_01) UNIX lookup failure. Error: Acquire UNIX credentials procedure failed
  [  2 ms] Entry for user-name: jmaurin not found in the current source: FILES. Entry for user-name: jmaurin not found in any of the available sources
**[     3] FAILURE: Unable to retrieve UID for UNIX user jmaurin
10/2/2019 11:57:24  Clt_FEARP_01_1   ERROR         secd.unixLookupFailure: vserver (FEARP_01) UNIX lookup failure. Error: Acquire UNIX credentials procedure failed
  [  1 ms] Entry for group-name: sti not found in the current source: FILES. Entry for group-name: sti not found in any of the available sources
**[     2] FAILURE: Unable to retrieve GID for UNIX groupname sti
10/2/2019 11:33:45  Clt_FEARP_01_1   ERROR         secd.unixLookupFailure: vserver (FEARP_01) UNIX lookup failure. Error: Acquire UNIX credentials procedure failed
  [ 24 ms] Entry for group-name: sti not found in the current source: FILES. Entry for group-name: sti not found in any of the available sources
**[    29] FAILURE: Unable to retrieve GID for UNIX groupname sti

 

Question to you:
Do you have iSCSI and NAS interface in a same vserver where this share/qree is created ?

No. iSCSI and NFS use separeted interface/VLAN each. CIF's is another thing: I have two different VLAN's for access: one is network 10.107.205.0/24 (which is the same of management interface, but uses 'data' ports and not management port) and other is 1.2.3.4 (this one is a valid IP). My AD is reachable by this second option, a valid IP. My ONTAP has gateway configured only for this network (valid ip), none of invalid networks/other has gateway defined.

 

Clt_FEARP_01::> network interface show -role data -vserver FEARP_01
            Logical    Status     Network            Current       Current Is
Vserver     Interface  Admin/Oper Address/Mask       Node          Port    Home
----------- ---------- ---------- ------------------ ------------- ------- ----
FEARP_01
            FEARP_01_cifs-209_lif1
                         up/up    143.107.205.2/24   Clt_FEARP_01_1
                                                                   e0f-209 true
            FEARP_01_cifs-239_lif2
                         up/up    10.107.205.180/24  Clt_FEARP_01_1
                                                                   e0f-239 true
            FEARP_01_iscsi-241_lif1
                         up/up    10.107.206.170/24  Clt_FEARP_01_1
                                                                   a0a-241 true
            FEARP_01_iscsi-241_lif2
                         up/up    10.107.206.171/24  Clt_FEARP_01_2
                                                                   a0a-241 true
            FEARP_01_iscsi-242_lif1
                         up/up    10.107.207.170/24  Clt_FEARP_01_1
                                                                   a0a-242 true
            FEARP_01_iscsi-242_lif2
                         up/up    10.107.207.171/24  Clt_FEARP_01_2
                                                                   a0a-242 true
            FEARP_01_iscsi-246_lif2
                         up/up    10.107.210.170/24  Clt_FEARP_01_1
                                                                   a0a-246 true
            FEARP_01_mgmt
                         up/up    10.107.205.175/24  Clt_FEARP_01_1
                                                                   e0M     true
            FEARP_01_nfs-243_lif1
                         up/up    10.107.208.170/24  Clt_FEARP_01_1
                                                                   a0a-243 true
9 entries were displayed.

Note: I'm planing to use this qtree/cif's/volume with both windows and linux clients/servers.

 

Jonis
5,937 Views

Ok, I found that CIF's doesn't use the same connection that management interface uses for auth. I need to configure LDP Client in my SVM. 

So, I've setup my LDAP configuration and tested with "vserver services name-service ldap check -vserver FEARP_01". My connection looks fine now, but still not getting account/groups objects. I found this article:  https://kb.netapp.com/app/answers/answer_view/a_id/1029829/~/how-to-troubleshoot-ldap-issues-in-clustered-data-ontap-

 

The problem is that I my ONTAP doesn't have command 'getxxbyyy'...or better, doesn't have any 'get<anythin>' command, so I can't test query. Is there any other way, or what am I missing?

I would like to test my LDAP query from ONTAP....I think it's a permission problem now. Also, ONTAP does recursive queries while looking for accounts/groups?

I'm using my first level as BaseDN.

Ontapforrum
5,897 Views

For mixed environment (win/unix) you will need to set up mapping.

 

Test connection:
[set diag]
:*> diag secd authentication show-creds -node <node> -vserver <vserver> -unix-user-name xxx


FAQ: Understanding name-mapping in a multiprotocol environment
https://kb.netapp.com/app/answers/answer_view/a_id/1076862

 

Creating a name mapping
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-DF5A05D9-4F6E-45A7-A3A0-9387AB655309.html


Note that you can use name mapping only for users, not for groups. It is not possible to map CIFS users to a group ID (GID), or UNIX users to a group in the Active Directory (AD). Similarly, it is not possible to map a GID to a group or a user in AD, or an AD group to a UNIX UID or GID.

 

https://library.netapp.com/ecmdocs/ECMP1196891/html/GUID-7AB09327-2879-4066-9A7F-1A25B3CB3AA7.html

Jonis
5,839 Views

Ok I've changed to NTFS to simplify things.....but still with same problem.

 

I've tried both test commands, only one works:

Clt_FEARP_01::*> diag secd authentication show-creds -node Clt_FEARP_01_1 -vserver FEARP_01 -win-name jmaurin

 UNIX UID: root <> Windows User: FEA-RP\jmaurin (Windows Domain User)

 GID: daemon
 Supplementary GIDs:
  daemon

 Primary Group SID: FEA-RP\Domain Users (Windows Domain group)

 Windows Membership:
  FEA-RP\Domain Users (Windows Domain group)
  FEA-RP\Domain Admins (Windows Domain group)
  FEA-RP\StorageAdm (Windows Domain group)
  FEA-RP\brigada (Windows Domain group)
  FEA-RP\sti (Windows Domain group)
  FEA-RP\Administradores Locais (Windows Domain group)
  FEA-RP\AppVAdministrators (Windows Domain group)
  FEA-RP\radius (Windows Domain group)
  FEA-RP\AppVUsers (Windows Domain group)
  FEA-RP\funcs (Windows Domain group)
  FEA-RP\reservas (Windows Domain group)
  FEA-RP\Aplicacoes (Windows Domain group)
  FEA-RP\Enterprise Admins (Windows Domain group)
  FEA-RP\Schema Admins (Windows Domain group)
  FEA-RP\Denied RODC Password Replication Group (Windows Alias)
  Service asserted identity (Windows Well known group)
  BUILTIN\Users (Windows Alias)
  BUILTIN\Administrators (Windows Alias)
 User is also a member of Everyone, Authenticated Users, and Network Users

 Privileges (0x22b7):
  SeBackupPrivilege
  SeRestorePrivilege
  SeTakeOwnershipPrivilege
  SeSecurityPrivilege
  SeChangeNotifyPrivilege

This command returns the same error while I try to add quota for user:

Clt_FEARP_01::*> getxxbyyy getpwbyname -node Clt_FEARP_01_1 -vserver FEARP_01 -username jmaurin -show-source true
  (vserver services name-service getxxbyyy getpwbyname)

Error: command failed: Failed to resolve jmaurin. Reason: Entry not found for "username: jmaurin".

I'm not sure what's wrng, since first command could find my user object and second command can't. I think it isn't a connection problem (with my AD), right?

 

Ontapforrum
5,831 Views

ok. Could you give us this output:

 

::>vserver cifs options show -vserver vserver_name
::>vserver services unix-user show -vserver vserver_name
::> vserver name-mapping show -vserver vserver_name -direction unix-win

 

 

Jonis
5,827 Views
Clt_FEARP_01::*> vserver cifs options show -vserver FEARP_01

Vserver: FEARP_01

                            Client Session Timeout: 900
                              Copy Offload Enabled: true
                                Default Unix Group: -
                                 Default Unix User: pcuser
                                   Guest Unix User: -
               Are Administrators mapped to 'root': true
           Is Advanced Sparse File Support Enabled: true
                  Is Fsctl File Level Trim Enabled: true
                  Direct-Copy Copy Offload Enabled: true
                           Export Policies Enabled: false
            Grant Unix Group Permissions to Others: false
                          Is Advertise DFS Enabled: false
     Is Client Duplicate Session Detection Enabled: true
               Is Client Version Reporting Enabled: true
                                    Is DAC Enabled: false
                      Is Fake Open Support Enabled: true
                         Is Hide Dot Files Enabled: false
                              Is Large MTU Enabled: false
                             Is Local Auth Enabled: true
                 Is Local Users and Groups Enabled: true
                           Is Multichannel Enabled: true
            Is NetBIOS over TCP (port 139) Enabled: true
               Is NBNS over UDP (port 137) Enabled: false
                               Is Referral Enabled: false
             Is Search Short Names Support Enabled: false
  Is Trusted Domain Enumeration And Search Enabled: true
                        Is UNIX Extensions Enabled: false
          Is Use Junction as Reparse Point Enabled: true
    Maximum Length of Data Zeroed by One Operation: 32MB
                               Max Multiplex Count: 255
          Max Connections per Multichannel Session: 32
                 Max LIFs per Multichannel Session: 256
              Max Same User Session Per Connection: 2500
                 Max Same Tree Connect Per Session: 5000
                      Max Opens Same File Per Tree: 1000
                          Max Watches Set Per Tree: 500
                   Is Path Component Cache Enabled: true
Is Path Component Cache Symlink Resolution Enabled: true
              Path Component Cache Maximum Entries: 5000
        Path Component Cache Entry Expiration Time: 15000
      Path Component Cache Symlink Expiration Time: 15000
   Path Component Cache Maximum Session Token Size: 1000
    NT ACLs on UNIX Security Style Volumes Enabled: true
                                  Read Grants Exec: disabled
                                  Read Only Delete: disabled
                  Reported File System Sector Size: 4096
                                Restrict Anonymous: no-restriction
                              Shadowcopy Dir Depth: 5
                                Shadowcopy Enabled: true
                                      SMB1 Enabled: false
                  Max Buffer Size for SMB1 Message: 65535
                                      SMB2 Enabled: true
                                      SMB3 Enabled: true
                                    SMB3.1 Enabled: true
            Map Null User to Windows User or Group: -
                                      WINS Servers: -
         Report Widelink as Reparse Point Versions: SMB1
                              Max Credits to Grant: 128
Clt_FEARP_01::*> vserver services unix-user show -vserver FEARP_01
               User            User   Group  Full
Vserver        Name            ID     ID     Name
-------------- --------------- ------ ------ --------------------------------
FEARP_01       nobody          65535  65535
FEARP_01       pcuser          65534  65534
FEARP_01       root            0      1
3 entries were displayed.

Clt_FEARP_01::*> vserver name-mapping show -vserver FEARP_01  -direction unix-win

Vserver:   FEARP_01
Direction: unix-win
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: (.+)
                                          Replacement: FEA-RP\\\1

Jonis
5,824 Views

Solved!

I have mapped all win-users to 'pcuser'. This is right?

Also, why I need to map, since I'm using only NTFS in security of my volume?

Ontapforrum
5,821 Views

Solved = hurray 🙂

 

I was just reading this when you replied:

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-vsmg%2FGUID-A019B690-EB03-43C2-B755-1F265EC9E986.html&lang=en

 

The user-mapping parameter is set to "on" in the quota rule for the user.

 

I agree, with NTFS security-style, it should only need mapping of unix-user to Windows (bydefault unix-user 'pcuser ' is defined in 8.3 later)..I am thinking now.

Public