Solved: Secondary Membership Groups with Active Directory and likewise

CURUFINWE · ‎2011-07-28

We are trying to setup authentication through Active Directory. We are using Likewise to add uid, gid and other unix attributes to objects in AD.

Our setup is FAS3240 with DataONTAP 8.0.1

Our Active Directory server is running Windows server 2003 R2.

Our use case is volumes which are shared both through cifs and nfs.

We have based most of our configuration on the following documents:

- netapp tr 3458

- "Authenticating network appliances file servers with likewise and ad", from likewise.

So far, we were able to:

- Join the filer to the domain.

- Configure ldap so that the following commands return information

- wcc -s domain\user

- getXXbyYY getpwbyname_r user

- Access a share through cifs and browse and create files.

The issue is that

getXXbyYY getgrlist user

only returns one group, even though the user does have secondary groups.

When we run

wcc -s domain\user

we see one group listed under unix uid and multiple groups listed under nt membership.

So how do we retrieve all group membership from Active Directory?

As a reference, here is our ldap configuration

> options ldap
ldap.ADdomain                blabla.net
ldap.base                    DC=blabla,DC=net
ldap.base.group              dc=blabla,dc=net
ldap.base.netgroup
ldap.base.passwd             DC=blabla,DC=net
ldap.enable                  on
ldap.minimum_bind_level      simple
ldap.name                    CN=Last\, First,OU=Users,OU=Some Place,DC=blabla,DC=net
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory unixHomeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid    sAMAccountName
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.uniqueMember member
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.groupOfUniqueNames group
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount user
ldap.nssmap.objectClass.posixGroup group
ldap.passwd                  ******
ldap.port                    389
ldap.rfc2307bis.enable       on
ldap.servers
ldap.servers.preferred
ldap.ssl.enable              off
ldap.timeout                 20
ldap.usermap.attribute.unixaccount sAMAccountName
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base            dc=blabla,dc=net
ldap.usermap.enable          off
ldap.usermap.symmetriclookup no
ldap.usermap.windows-to-unix.objectClass User

CURUFINWE · ‎2011-09-01

We have had a lot of back and forth with NetApp support on this. In the end, we found the following:

- This is caused by bug 314631 (see https://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=314631)

- The resolution is to set the following hidden option:

ldap.skip_cn_unescape.enable on

Once we set this option, things work much better.

View solution in original post

CURUFINWE · ‎2011-09-01

We have had a lot of back and forth with NetApp support on this. In the end, we found the following:

- This is caused by bug 314631 (see https://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=314631)

- The resolution is to set the following hidden option:

ldap.skip_cn_unescape.enable on

Once we set this option, things work much better.

oweinmann · ‎2012-07-17

Hi,

sorry for picking up this old thread but I stumbled across a similar issue today when trying to configure nfsv4. I can't see the secondary group memberships.

We have 2008 R2 with RFC schema enabled.

Our OnTAP version is 8.0.1 P4. Accoding to the bug report it should be fixed in this release.

Regards,

Oliver