ONTAP Discussions
ONTAP Discussions
Is there a secd or other command equivalent to 7-mode wcc -x to expire the secd credential cache?
Solved! See The Solution
There are two places where cred caches are kept.
1 is the secd cache that Scott listed.
However, there is another cache that ages out every 20 minutes. This is located on each node's nblade.
To view creds:
::> set diag
::*> diag nblade credentials show -vserver flexvol -unix-user-name root
Getting credential handles.
2 handles found....
Getting cred 0 for user.
Global Virtual Server: 3
Cred Store Uniquifier: 20
Cifs SuperUser Table Generation: 0
Locked Ref Count: 0
Info Flags: 1
Alternative Key Count: 0
Additional Buffer Count: 0
Allocation Time: 0 ms
Hit Count: 0 ms
Locked Count: 0 ms
Windows Creds:
Flags: 0
Primary Group: S-0-0
Unix Creds:
Flags: 0
Domain ID: 0
Uid: 0
Gid: 1
Additional Gids:
Getting cred 1 for user.
Global Virtual Server: 3
Cred Store Uniquifier: 20
Cifs SuperUser Table Generation: 0
Locked Ref Count: 0
Info Flags: 1
Alternative Key Count: 0
Additional Buffer Count: 1
Allocation Time: 0 ms
Hit Count: 0 ms
Locked Count: 0 ms
Windows Creds:
Flags: 695
Primary Group: S-1-5-21-3413584004-3312044262-250399859-513
Domain 0 (S-1-5-21-3413584004-3312044262-250399859):
Rid 0: 500
Rid 1: 572
Rid 2: 519
Rid 3: 518
Rid 4: 512
Rid 5: 520
Rid 6: 1157
Rid 7: 513
Domain 1 (S-1-5-32):
Rid 0: 544
Rid 1: 545
Domain 2 (S-1-1):
Rid 0: 0
Domain 3 (S-1-5):
Rid 0: 11
Rid 1: 2
Unix Creds:
Flags: 0
Domain ID: 0
Uid: 0
Gid: 0
Additional Gids:
Gid 0: 0
To age out the cache:
::*> diag nblade credentials flush -vserver flexvol
FlushCredStore succeeded flushing 3 entries
::*> diag nblade credentials show -vserver flexvol -unix-user-name root
Getting credential handles.
Error: command failed: RPC call to SecD failed. RPC: "cred store: not found". Reason: "".
This cache is not currently configurable from the cluster shell. RFE 825687 was filed to add this functionality.
This should be equivalent...there are many -cache-name fields also pasted below.
::*> diag secd cache clear -node node_name -vserver svm_name -cache-name name-to-sid
::*> diag secd cache clear -node node_name -vserver svm_name -cache-name sid-to-name
Fields -cache-name
ad-to-netbios-domain | netbios-to-ad-domain | |
ems-delivery | ldap-groupid-to-name | |
ldap-groupname-to-id | ldap-userid-to-creds | |
ldap-username-to-creds | log-duplicate | |
name-to-sid | sid-to-name | |
nis-groupid-to-name | nis-groupname-to-id | |
nis-userid-to-creds | nis-username-to-creds | |
nis-group-membership | netgroup | |
schannel-key | lif-bad-route-to-target | |
username-to-creds | ad-sid-to-local-membership | |
netgroup-host |
Thanks Scott.
I already came across these cache values. Do I need to expire a number of these to obtain the same functionality as the wcc -x command?
I'm experiencing odd behavior w/ NFSv4 mounts that appears to be related to id mapping. Happens every 20 minutes. Per WCC default of 20 minutes in 7-mode,
I was hoping to discover a cache setting w/ an equivalent expiry time, but most of the expiry for the relevant values in this list is 86400 which I take to be in seconds.
Know of any 20-minute cachings that occur?
There are two places where cred caches are kept.
1 is the secd cache that Scott listed.
However, there is another cache that ages out every 20 minutes. This is located on each node's nblade.
To view creds:
::> set diag
::*> diag nblade credentials show -vserver flexvol -unix-user-name root
Getting credential handles.
2 handles found....
Getting cred 0 for user.
Global Virtual Server: 3
Cred Store Uniquifier: 20
Cifs SuperUser Table Generation: 0
Locked Ref Count: 0
Info Flags: 1
Alternative Key Count: 0
Additional Buffer Count: 0
Allocation Time: 0 ms
Hit Count: 0 ms
Locked Count: 0 ms
Windows Creds:
Flags: 0
Primary Group: S-0-0
Unix Creds:
Flags: 0
Domain ID: 0
Uid: 0
Gid: 1
Additional Gids:
Getting cred 1 for user.
Global Virtual Server: 3
Cred Store Uniquifier: 20
Cifs SuperUser Table Generation: 0
Locked Ref Count: 0
Info Flags: 1
Alternative Key Count: 0
Additional Buffer Count: 1
Allocation Time: 0 ms
Hit Count: 0 ms
Locked Count: 0 ms
Windows Creds:
Flags: 695
Primary Group: S-1-5-21-3413584004-3312044262-250399859-513
Domain 0 (S-1-5-21-3413584004-3312044262-250399859):
Rid 0: 500
Rid 1: 572
Rid 2: 519
Rid 3: 518
Rid 4: 512
Rid 5: 520
Rid 6: 1157
Rid 7: 513
Domain 1 (S-1-5-32):
Rid 0: 544
Rid 1: 545
Domain 2 (S-1-1):
Rid 0: 0
Domain 3 (S-1-5):
Rid 0: 11
Rid 1: 2
Unix Creds:
Flags: 0
Domain ID: 0
Uid: 0
Gid: 0
Additional Gids:
Gid 0: 0
To age out the cache:
::*> diag nblade credentials flush -vserver flexvol
FlushCredStore succeeded flushing 3 entries
::*> diag nblade credentials show -vserver flexvol -unix-user-name root
Getting credential handles.
Error: command failed: RPC call to SecD failed. RPC: "cred store: not found". Reason: "".
This cache is not currently configurable from the cluster shell. RFE 825687 was filed to add this functionality.
That's what I was looking for. I also came across this eventually, but it didn't help with being able to reproduce the noted issue I've been seeing.
Thanks for supplying this detail of information though. Maybe it will be useful for folks to reference.
You mentioned an "odd behavior"...
Is this regarding case 2004909371? Looks like it, judging from the case notes. I suppose you're Barry?
I mentioned to the case owner that there is a way to adjust the nblade cred cache timeout value. Did you ever attempt to do that?
I'll send you an email with the steps on how to do that.