Re: ONTAP 9 System Manager, Active Directory Authentication

mabentele · ‎2016-11-25

Hello

I'm running a Cdot 9 simulator.

setup ldap + ldap client + nsswitch . Disabled NIS.

Want to map win-name to the same name in unix, without using nis

ldap client show -client-config ldapsvm01 -ad-domain fn2.XXXXX.com

                                  Vserver: fnxdeb100_svm01
                Client Configuration Name: ldapsvm01
                         LDAP Server List: -
                  Active Directory Domain: fn2.XXXXX.com
       Preferred Active Directory Servers: 10.96.81.249
Bind Using the Vserver's CIFS Credentials: true
                          Schema Template: RFC-2307
                         LDAP Server Port: 389
                      Query Timeout (sec): 3
        Minimum Bind Authentication Level: sasl
                           Bind DN (User): myuser
                                  Base DN: DC=fn2,DC=XXXXX,DC=com
                        Base Search Scope: subtree
                                  User DN: -
                        User Search Scope: subtree
                                 Group DN: -
                       Group Search Scope: subtree
                              Netgroup DN: -
                    Netgroup Search Scope: subtree
               Vserver Owns Configuration: true
      Use start-tls Over LDAP Connections: false
           Enable Netgroup-By-Host Lookup: false
                      Netgroup-By-Host DN: -
                   Netgroup-By-Host Scope: subtree
                  Client Session Security: none

###############

ldapsearch on client shows fields uid uidnumber gidnumber etc :

sAMAccountName: bentele_test

uid: 2019
gidNumber: 123456
uidNumber: 2019

####

diag secd authentication translate -node fnxdeb100-01 -vserver fnxdeb100_svm01 -uid 2019

Vserver: fnxdeb100_svm01 (internal ID: 3)

Error: Acquire UNIX credentials procedure failed
[ 5 ms] Successfully connected to ip 10.96.81.249, port 389 using
           TCP
**[    10] FAILURE: User ID '2019' not found in UNIX authorization
**         source LDAP.
[    10] Entry for user-id: 2019 not found in the current source:
           LDAP. Ignoring and trying next available source
[    11] Entry for user-id: 2019 not found in the current source:
           FILES. Entry for user-id: 2019 not found in any of the
           available sources
[    11] Unable to retrieve UNIX username for UID 2019

vserver services name-service ns-switch show
                               Source
Vserver         Database       Order
--------------- ------------   ---------
fnxdeb100       hosts          files,
                               dns
fnxdeb100       group          files
fnxdeb100       passwd         files
fnxdeb100_svm01 hosts          dns,
                               files
fnxdeb100_svm01 group          ldap,
                               files
fnxdeb100_svm01 passwd         ldap,
                               files
fnxdeb100_svm01 netgroup       files
fnxdeb100_svm01 namemap        ldap

QUESTION : How do I activate

UNIX authorization source LDAP.

so , that instead of

diag secd authentication show-creds -node fnxdeb100-01 -vserver fnxdeb100_svm01 -win-name bentele_test -list-name true

UNIX UID: pcuser <> Windows User: FN2\bentele_test (Windows Domain User)

GID: pcuser
Supplementary GIDs:

pcuser

UNIX UID : bentele_test Windows User: FN2\bentele_test

is mapped

?

Thank you

hariprak · ‎2016-11-28

Hi,

Hope this document helps https://library.netapp.com/ecm/ecm_download_file/ECMLP2496262

Thanks

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

mabentele · ‎2016-12-20

Hi

Thank you very much for the reply.

I'm sorry thats not the solution i've searched,

I don't want an admin user key but a "normal" windows user being mapped.

best Regards

Markus