Can't create group quota

Jonis · ‎2019-10-02

Hi.

I'm trying to setup our new FAS2750 (ONTAP 9.6), but I'm having some troubles with quota and groups. Our local netapp support/partnet has installed and configured our system and joined to our domain (called fea-rp.local). Everything is fine, we can create CIF's chares's, set permissions (users and groups) and login into our ONTAP using AD users.

Now I'm tryng to create a qtree and then create a group quota for this qtree, but it doesn't work. Always get this error:

Quota creation failed on '/vol/vol_dados_fearp/qtree_grupos'
Reason : Failed to create quota.
ONTAP API Failed: Group name sti not found. Reason: SecD Error: object not found.

'sti' is group name. I've also tried with "FEA-RP\Sti", still not working, but different error:

Quota creation failed on '/vol/vol_dados_fearp/qtree_grupos'
Reason : Failed to create quota.
ONTAP API Failed: Target for a group quota cannot be a Windows account.

Note that we only have a group salled 'sti', not an user.

Ontapforrum · ‎2019-10-02

We need to check the secd logs, could you give us the output of this command

From clustershell:

::> event log show -event secd*

Question to you:
Do you have iSCSI and NAS interface in a same vserver where this share/qree is created ?

Will need output of this:
::> network interface show -role data -vserver <vserver_name>

Jonis · ‎2019-10-02

Sure!

Event log:

Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
10/2/2019 12:11:27  Clt_FEARP_01_1   ERROR         secd.unixLookupFailure: vserver (FEARP_01) UNIX lookup failure. Error: Acquire UNIX credentials procedure failed
  [  2 ms] Entry for user-name: jmaurin not found in the current source: FILES. Entry for user-name: jmaurin not found in any of the available sources
**[     3] FAILURE: Unable to retrieve UID for UNIX user jmaurin
10/2/2019 11:57:24  Clt_FEARP_01_1   ERROR         secd.unixLookupFailure: vserver (FEARP_01) UNIX lookup failure. Error: Acquire UNIX credentials procedure failed
  [  1 ms] Entry for group-name: sti not found in the current source: FILES. Entry for group-name: sti not found in any of the available sources
**[     2] FAILURE: Unable to retrieve GID for UNIX groupname sti
10/2/2019 11:33:45  Clt_FEARP_01_1   ERROR         secd.unixLookupFailure: vserver (FEARP_01) UNIX lookup failure. Error: Acquire UNIX credentials procedure failed
  [ 24 ms] Entry for group-name: sti not found in the current source: FILES. Entry for group-name: sti not found in any of the available sources
**[    29] FAILURE: Unable to retrieve GID for UNIX groupname sti

Question to you:
Do you have iSCSI and NAS interface in a same vserver where this share/qree is created ?

No. iSCSI and NFS use separeted interface/VLAN each. CIF's is another thing: I have two different VLAN's for access: one is network 10.107.205.0/24 (which is the same of management interface, but uses 'data' ports and not management port) and other is 1.2.3.4 (this one is a valid IP). My AD is reachable by this second option, a valid IP. My ONTAP has gateway configured only for this network (valid ip), none of invalid networks/other has gateway defined.

Clt_FEARP_01::> network interface show -role data -vserver FEARP_01
            Logical    Status     Network            Current       Current Is
Vserver     Interface  Admin/Oper Address/Mask       Node          Port    Home
----------- ---------- ---------- ------------------ ------------- ------- ----
FEARP_01
            FEARP_01_cifs-209_lif1
                         up/up    143.107.205.2/24   Clt_FEARP_01_1
                                                                   e0f-209 true
            FEARP_01_cifs-239_lif2
                         up/up    10.107.205.180/24  Clt_FEARP_01_1
                                                                   e0f-239 true
            FEARP_01_iscsi-241_lif1
                         up/up    10.107.206.170/24  Clt_FEARP_01_1
                                                                   a0a-241 true
            FEARP_01_iscsi-241_lif2
                         up/up    10.107.206.171/24  Clt_FEARP_01_2
                                                                   a0a-241 true
            FEARP_01_iscsi-242_lif1
                         up/up    10.107.207.170/24  Clt_FEARP_01_1
                                                                   a0a-242 true
            FEARP_01_iscsi-242_lif2
                         up/up    10.107.207.171/24  Clt_FEARP_01_2
                                                                   a0a-242 true
            FEARP_01_iscsi-246_lif2
                         up/up    10.107.210.170/24  Clt_FEARP_01_1
                                                                   a0a-246 true
            FEARP_01_mgmt
                         up/up    10.107.205.175/24  Clt_FEARP_01_1
                                                                   e0M     true
            FEARP_01_nfs-243_lif1
                         up/up    10.107.208.170/24  Clt_FEARP_01_1
                                                                   a0a-243 true
9 entries were displayed.

Note: I'm planing to use this qtree/cif's/volume with both windows and linux clients/servers.

Jonis · ‎2019-10-02

Ok, I found that CIF's doesn't use the same connection that management interface uses for auth. I need to configure LDP Client in my SVM.

So, I've setup my LDAP configuration and tested with "vserver services name-service ldap check -vserver FEARP_01". My connection looks fine now, but still not getting account/groups objects. I found this article: https://kb.netapp.com/app/answers/answer_view/a_id/1029829/~/how-to-troubleshoot-ldap-issues-in-clustered-data-ontap-

The problem is that I my ONTAP doesn't have command 'getxxbyyy'...or better, doesn't have any 'get<anythin>' command, so I can't test query. Is there any other way, or what am I missing?

I would like to test my LDAP query from ONTAP....I think it's a permission problem now. Also, ONTAP does recursive queries while looking for accounts/groups?

I'm using my first level as BaseDN.

Ontapforrum · ‎2019-10-02

For mixed environment (win/unix) you will need to set up mapping.

Test connection:
[set diag]
:*> diag secd authentication show-creds -node <node> -vserver <vserver> -unix-user-name xxx

FAQ: Understanding name-mapping in a multiprotocol environment
https://kb.netapp.com/app/answers/answer_view/a_id/1076862

Creating a name mapping
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-DF5A05D9-4F6E-45A7-A3A0-9387AB655309.html

Note that you can use name mapping only for users, not for groups. It is not possible to map CIFS users to a group ID (GID), or UNIX users to a group in the Active Directory (AD). Similarly, it is not possible to map a GID to a group or a user in AD, or an AD group to a UNIX UID or GID.

https://library.netapp.com/ecmdocs/ECMP1196891/html/GUID-7AB09327-2879-4066-9A7F-1A25B3CB3AA7.html

Jonis · ‎2019-10-03

Ok I've changed to NTFS to simplify things.....but still with same problem.

I've tried both test commands, only one works:

Clt_FEARP_01::*> diag secd authentication show-creds -node Clt_FEARP_01_1 -vserver FEARP_01 -win-name jmaurin

 UNIX UID: root <> Windows User: FEA-RP\jmaurin (Windows Domain User)

 GID: daemon
 Supplementary GIDs:
  daemon

 Primary Group SID: FEA-RP\Domain Users (Windows Domain group)

 Windows Membership:
  FEA-RP\Domain Users (Windows Domain group)
  FEA-RP\Domain Admins (Windows Domain group)
  FEA-RP\StorageAdm (Windows Domain group)
  FEA-RP\brigada (Windows Domain group)
  FEA-RP\sti (Windows Domain group)
  FEA-RP\Administradores Locais (Windows Domain group)
  FEA-RP\AppVAdministrators (Windows Domain group)
  FEA-RP\radius (Windows Domain group)
  FEA-RP\AppVUsers (Windows Domain group)
  FEA-RP\funcs (Windows Domain group)
  FEA-RP\reservas (Windows Domain group)
  FEA-RP\Aplicacoes (Windows Domain group)
  FEA-RP\Enterprise Admins (Windows Domain group)
  FEA-RP\Schema Admins (Windows Domain group)
  FEA-RP\Denied RODC Password Replication Group (Windows Alias)
  Service asserted identity (Windows Well known group)
  BUILTIN\Users (Windows Alias)
  BUILTIN\Administrators (Windows Alias)
 User is also a member of Everyone, Authenticated Users, and Network Users

 Privileges (0x22b7):
  SeBackupPrivilege
  SeRestorePrivilege
  SeTakeOwnershipPrivilege
  SeSecurityPrivilege
  SeChangeNotifyPrivilege

This command returns the same error while I try to add quota for user:

Clt_FEARP_01::*> getxxbyyy getpwbyname -node Clt_FEARP_01_1 -vserver FEARP_01 -username jmaurin -show-source true
  (vserver services name-service getxxbyyy getpwbyname)

Error: command failed: Failed to resolve jmaurin. Reason: Entry not found for "username: jmaurin".

I'm not sure what's wrng, since first command could find my user object and second command can't. I think it isn't a connection problem (with my AD), right?

Ontapforrum · ‎2019-10-03

ok. Could you give us this output:

::>vserver cifs options show -vserver vserver_name
::>vserver services unix-user show -vserver vserver_name
::> vserver name-mapping show -vserver vserver_name -direction unix-win

Jonis · ‎2019-10-03

Clt_FEARP_01::*> vserver cifs options show -vserver FEARP_01

Vserver: FEARP_01

                            Client Session Timeout: 900
                              Copy Offload Enabled: true
                                Default Unix Group: -
                                 Default Unix User: pcuser
                                   Guest Unix User: -
               Are Administrators mapped to 'root': true
           Is Advanced Sparse File Support Enabled: true
                  Is Fsctl File Level Trim Enabled: true
                  Direct-Copy Copy Offload Enabled: true
                           Export Policies Enabled: false
            Grant Unix Group Permissions to Others: false
                          Is Advertise DFS Enabled: false
     Is Client Duplicate Session Detection Enabled: true
               Is Client Version Reporting Enabled: true
                                    Is DAC Enabled: false
                      Is Fake Open Support Enabled: true
                         Is Hide Dot Files Enabled: false
                              Is Large MTU Enabled: false
                             Is Local Auth Enabled: true
                 Is Local Users and Groups Enabled: true
                           Is Multichannel Enabled: true
            Is NetBIOS over TCP (port 139) Enabled: true
               Is NBNS over UDP (port 137) Enabled: false
                               Is Referral Enabled: false
             Is Search Short Names Support Enabled: false
  Is Trusted Domain Enumeration And Search Enabled: true
                        Is UNIX Extensions Enabled: false
          Is Use Junction as Reparse Point Enabled: true
    Maximum Length of Data Zeroed by One Operation: 32MB
                               Max Multiplex Count: 255
          Max Connections per Multichannel Session: 32
                 Max LIFs per Multichannel Session: 256
              Max Same User Session Per Connection: 2500
                 Max Same Tree Connect Per Session: 5000
                      Max Opens Same File Per Tree: 1000
                          Max Watches Set Per Tree: 500
                   Is Path Component Cache Enabled: true
Is Path Component Cache Symlink Resolution Enabled: true
              Path Component Cache Maximum Entries: 5000
        Path Component Cache Entry Expiration Time: 15000
      Path Component Cache Symlink Expiration Time: 15000
   Path Component Cache Maximum Session Token Size: 1000
    NT ACLs on UNIX Security Style Volumes Enabled: true
                                  Read Grants Exec: disabled
                                  Read Only Delete: disabled
                  Reported File System Sector Size: 4096
                                Restrict Anonymous: no-restriction
                              Shadowcopy Dir Depth: 5
                                Shadowcopy Enabled: true
                                      SMB1 Enabled: false
                  Max Buffer Size for SMB1 Message: 65535
                                      SMB2 Enabled: true
                                      SMB3 Enabled: true
                                    SMB3.1 Enabled: true
            Map Null User to Windows User or Group: -
                                      WINS Servers: -
         Report Widelink as Reparse Point Versions: SMB1
                              Max Credits to Grant: 128

Clt_FEARP_01::*> vserver services unix-user show -vserver FEARP_01
               User            User   Group  Full
Vserver        Name            ID     ID     Name
-------------- --------------- ------ ------ --------------------------------
FEARP_01       nobody          65535  65535
FEARP_01       pcuser          65534  65534
FEARP_01       root            0      1
3 entries were displayed.

Clt_FEARP_01::*> vserver name-mapping show -vserver FEARP_01  -direction unix-win

Vserver:   FEARP_01
Direction: unix-win
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: (.+)
                                          Replacement: FEA-RP\\\1

Jonis · ‎2019-10-03

Solved!

I have mapped all win-users to 'pcuser'. This is right?

Also, why I need to map, since I'm using only NTFS in security of my volume?

Ontapforrum · ‎2019-10-03

Solved = hurray 🙂

I was just reading this when you replied:

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-vsmg%2FGUID-A019B690-EB03-43C2-B755-1F265EC9E986.html&lang=en

The user-mapping parameter is set to "on" in the quota rule for the user.

I agree, with NTFS security-style, it should only need mapping of unix-user to Windows (bydefault unix-user 'pcuser ' is defined in 8.3 later)..I am thinking now.