Microsoft Virtualization Discussions
Microsoft Virtualization Discussions
Background:
I want to connect to the controller using my current credentials, no prompts and no hard-code creds in my scripts. I believe this requires RPC connection, not HTTP(S).
Configuration:
Server and controller are on the same VLAN. No firewalls or routers separate them.
Tracing route to xxx-psan-02 [10.111.11.40]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms xxx-psan-02 [10.111.11.40]
Trace complete.
Result:
With a hard-coded credential and an HTTPS connection, Get-NaController is fine.
With the same hard-coded credential and an RPC connection, I get this result:
PS C:\temp> Connect-NaController -name xxx-psan-02 -RPC -Credential $cred
Connect-NaController : RPC Error: The RPC server is unavailable. Code 0x6BA.
At line:1 char:21
+ Connect-NaController <<<< -name wat-psan-02 -RPC -Credential $cred
+ CategoryInfo : InvalidResult: (wat-psan-02:NaController) [Connect-NaController], EAPITRANSMISSION
+ FullyQualifiedErrorId : RpcConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController
Solved! See The Solution
RPC uses AD-based authentication, so your Windows host and your storage controller must be in the same Windows domain. Use 'cifs setup' or PowerShell commands to accomplish that. Also, you must ensure that the domain user that you have used to log into the Windows host is known to the storage controller (Set-NaDomainUser), since those are the credentials used to authenticate with the controller. Don't pass credentials to Connect-NaController when specifying -RPC.
RPC uses AD-based authentication, so your Windows host and your storage controller must be in the same Windows domain. Use 'cifs setup' or PowerShell commands to accomplish that. Also, you must ensure that the domain user that you have used to log into the Windows host is known to the storage controller (Set-NaDomainUser), since those are the credentials used to authenticate with the controller. Don't pass credentials to Connect-NaController when specifying -RPC.
Thank you. In addition to what you suggested, I realized that my "transmission path" isn't quite what I had expected.
Although my computer has a NIC on our iSCSI VLAN, and therefore a direct connection to the controller, that NIC doesn't have the Microsoft client bound to it. Therefore, the RPC setup traffic was still originating from another NIC (with an ACL between it and the controller).
Clinton,
Does this statement imply that you MUST have CIFS licensed on your controller in order to use RPC authentication?
So, in order to setup the filer in AD with cifs setup, you either need iscsi, fcp or cifs licensed.
OK, That works. I have FCP, iSCSI, and NFS, just no CIFS. So that's not my problem. I still can't connect via RPC. Not a big, deal I can connect via HTTP, but it is just annoying, it SHOULD work. And on top of it the 2240 works, yet the dctest looks the same on all three controllers. The 3270s just don't work. I get a 0x5 error (authentication)
Ooops. Just saw Clinton's reply. So CIFS is the requirement I don't have. Hmmm. I'll have to talk to my NetApp Sales rep. Thank you!
Yes.
Have you gone through cifs setup and added it to the domain?
When I do a cifs testdc and a domaininfo, they both show connected correctly. Now when I do an adupdate, it doesn't work. I'm not sure why.
What's the story with Clustered ONTAP. How do you get Connect-NcController to automatically use the credentials of the logged on user to connected to the SVM? I still don't want to hard-code usernames or passwords in the script.
We have been using Set-NcCredential to cache username and password details on a particular server we want to run scripts on, not ideal but avoids having the passwords in the script!
The Toolkit's credentials cache is the way to go for now. I'm unaware of any RPC support, either current or on the roadmap, in Clustered Data ONTAP.
Clinton - Ok, my disclaimer is I have yet to go down cluster-mode yet
But are you saying we can't use AD Authentication via cifs like we do in 7-mode to manage the filers via powershell
That's what I'm saying. I would love to be proven wrong.
I am also getting RPC error - also tried http/s
I am using a domain account that it is in the 'domain admin' group and also a builtin\administrators in the controller
I have no problem logging in with that user from Putty
"ensure that the domain user that you have used to log into the Windows host is known to the storage controller - Don't pass credentials to Connect-NaController when specifying -RPC."
I am using VPN to connect to the controller's network - I am indeed using a different domain on my windows host
is there no way to connect? (I cannot add the domain user I'm using on my local PC to the controller)
Connect-NaController : RPC Error: Access is denied. Code 0x5.
At C:\connect.ps1:6 char:21
+ connect-nacontroller <<<< -name 10.0.8.8 -credential $FasCred -rpc
+ CategoryInfo : InvalidResult: (10.0.8.8:NaController) [Connect-NaController], EAPITRANSMISSION
+ FullyQualifiedErrorId : RpcConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController
++++++++++++++++++++
UPDATE
I've just managed to connect to a different filer with the same domain user, so it is definitely something in the filer's configuration - but what?