Adding additional details should this still be an issue or if others come across. The answer to this is indeed a local user on the controller / vfiler. Then you will need to set the password of the local user to be the exact same as the password of the account on the Windows server. The following happens when you attempt to access a share via CIFS:
Client: Clicks on start --> run and types: \\nascontroller\datashare <ENTER> - Once you hit enter, the user will first need to be Authenticated. Windows will attempt authentication by submitting credentials in the back ground to "nascontroller". Those credentials will be that of the currently logged in user. So say for example the local user logged in is bobbyj and a local account also exists on nascontroller. Windows will submit credentials tied to bobbyj's local account on the client attempting access to the share.
When those credentials are received by nascontroller, it will compare them against the local account it has in it's account database called bobbyj. The passwords will not match and thus the client will be denied access.
The way around this is to setup what is called Passthrough. All that you need to do is create a local user on the controller that matches the user that will be accessing the share and set their passwords to be exactly the same thing. This KB discusses this - https://kb.netapp.com/support/index?page=content&id=1011622&locale=en_US .