ONTAP Discussions

7MTT Cifs Migration Keeping IP and Identity

SimonGordon
2,549 Views

We are trying to migrate several cifs filers & vfilers to cmode and in our testing have come across some problems when trying to follow the transition guide.

Though not mentioned, you can't create a cifs server on the new SVM without a lif so you have to borrow a temp IP and create a temp lif. Then you can create a cifs server with a temp identity.

If you follow the ONTAP 8 procedure, the guide doesn't mention how to reconfigure the cifs server on the 7mode system without terminating cifs then re-running cifs setup which is disruptive to clients.

We tried to follow the procedure for ONTAP 9.0 or later and failed to successfully run the vserver cifs modify command to change the cifs netbios name to the 'real' name. The error we got indicated our AD domain id didn't have rights to rename the  cifs identity but it can add and remove entries.

::> vserver cifs modify -vserver testsvm -cifs-server testsvm 

In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add
computers to the "CN=Computers" container within the "xxxxxxx" domain.
Enter the user name: xxxxxxx
Enter the password:xxxxxxxxxx

Error: Machine account creation procedure failed
  [   721] Loaded the preliminary configuration.
  [   822] Successfully connected to ip aa.bb.cc.dd, port 88 using TCP
  [  1031] Successfully connected to ip aa.bb.cc.dd, port 389 using TCP
**[  1140] FAILURE: Could not rename existing account
**         'CN=testsvmtempid,CN=Computers,DC=xxx,DC=xxxxx,DC=com'
**         to 'cn= testsvm,CN=Computers,dc=XXX,dc=XXXXX,dc=COM':
**         Insufficient access
Error: command failed: Failed to create the Active Directory machine account "TESTSVM". Reason: LDAP Error: The user has insufficient access rights.

Our domain admins weren't aware of any permissions that could be applied to our ID to allow the modify to run. We ended-up having the domain admin remove the old and temporary vfiler/SVM entries in the domain, deleting the SVM's cifs configuration then recreating it with the 'real' identity. This resulted in losing the cifs shares from the SVM so they had to be recreated by hand. 

What permissions do we need to be able to run the vserver cifs modify so the migrations can be done with minimal disruption? Due to security concerns, we would not be allowed to use a domain admin account so we're looking to understand what the minimum set of permissions would be. 

1 REPLY 1
Public