ONTAP Discussions

Command to expire Credential Cache in CDOT 8.2.1

bsnyder27
8,923 Views

Is there a secd or other command equivalent to 7-mode wcc -x to expire the secd credential cache?

1 ACCEPTED SOLUTION

parisi
8,923 Views

There are two places where cred caches are kept.

1 is the secd cache that Scott listed.

However, there is another cache that ages out every 20 minutes. This is located on each node's nblade.

To view creds:

::> set diag

::*> diag nblade credentials show -vserver flexvol -unix-user-name root

Getting credential handles.

2 handles found....

Getting cred 0 for user.

          Global Virtual Server: 3

          Cred Store Uniquifier: 20

Cifs SuperUser Table Generation: 0

               Locked Ref Count: 0

                     Info Flags: 1

          Alternative Key Count: 0

        Additional Buffer Count: 0

                Allocation Time: 0 ms

                      Hit Count: 0 ms

                   Locked Count: 0 ms

Windows Creds:

        Flags: 0

        Primary Group: S-0-0

Unix Creds:

        Flags: 0

        Domain ID: 0

        Uid: 0

        Gid: 1

        Additional Gids:

Getting cred 1 for user.

          Global Virtual Server: 3

          Cred Store Uniquifier: 20

Cifs SuperUser Table Generation: 0

               Locked Ref Count: 0

                     Info Flags: 1

          Alternative Key Count: 0

        Additional Buffer Count: 1

                Allocation Time: 0 ms

                      Hit Count: 0 ms

                   Locked Count: 0 ms

Windows Creds:

        Flags: 695

        Primary Group: S-1-5-21-3413584004-3312044262-250399859-513

        Domain 0 (S-1-5-21-3413584004-3312044262-250399859):

                Rid 0: 500

                Rid 1: 572

                Rid 2: 519

                Rid 3: 518

                Rid 4: 512

                Rid 5: 520

                Rid 6: 1157

                Rid 7: 513

        Domain 1 (S-1-5-32):

                Rid 0: 544

                Rid 1: 545

        Domain 2 (S-1-1):

                Rid 0: 0

        Domain 3 (S-1-5):

                Rid 0: 11

                Rid 1: 2

Unix Creds:

        Flags: 0

        Domain ID: 0

        Uid: 0

        Gid: 0

        Additional Gids:

                Gid 0: 0

To age out the cache:

::*> diag nblade credentials flush -vserver flexvol

FlushCredStore succeeded flushing 3 entries

::*> diag nblade credentials show -vserver flexvol -unix-user-name root

Getting credential handles.

Error: command failed: RPC call to SecD failed. RPC: "cred store: not found".  Reason: "".

This cache is not currently configurable from the cluster shell. RFE 825687 was filed to add this functionality.

View solution in original post

5 REPLIES 5

scottgelb
8,923 Views

This should be equivalent...there are many -cache-name fields also pasted below.

::*> diag secd cache clear -node node_name -vserver svm_name -cache-name name-to-sid

::*> diag secd cache clear -node node_name -vserver svm_name -cache-name sid-to-name

Fields -cache-name

ad-to-netbios-domain   netbios-to-ad-domain
ems-delivery           ldap-groupid-to-name
ldap-groupname-to-id   ldap-userid-to-creds
ldap-username-to-creds log-duplicate
name-to-sid            sid-to-name
nis-groupid-to-name    nis-groupname-to-id
nis-userid-to-creds    nis-username-to-creds
nis-group-membership   netgroup
schannel-key           lif-bad-route-to-target
username-to-creds      ad-sid-to-local-membership
netgroup-host

bsnyder27
8,923 Views

Thanks Scott.

I already came across these cache values.  Do I need to expire a number of these to obtain the same functionality as the wcc -x command? 

I'm experiencing odd behavior w/ NFSv4 mounts that appears to be related to id mapping.  Happens every 20 minutes.  Per WCC default of 20 minutes in 7-mode,

I was hoping to discover a cache setting w/ an equivalent expiry time, but most of the expiry for the relevant values in this list is 86400 which I take to be in seconds.

Know of any 20-minute cachings that occur?

parisi
8,924 Views

There are two places where cred caches are kept.

1 is the secd cache that Scott listed.

However, there is another cache that ages out every 20 minutes. This is located on each node's nblade.

To view creds:

::> set diag

::*> diag nblade credentials show -vserver flexvol -unix-user-name root

Getting credential handles.

2 handles found....

Getting cred 0 for user.

          Global Virtual Server: 3

          Cred Store Uniquifier: 20

Cifs SuperUser Table Generation: 0

               Locked Ref Count: 0

                     Info Flags: 1

          Alternative Key Count: 0

        Additional Buffer Count: 0

                Allocation Time: 0 ms

                      Hit Count: 0 ms

                   Locked Count: 0 ms

Windows Creds:

        Flags: 0

        Primary Group: S-0-0

Unix Creds:

        Flags: 0

        Domain ID: 0

        Uid: 0

        Gid: 1

        Additional Gids:

Getting cred 1 for user.

          Global Virtual Server: 3

          Cred Store Uniquifier: 20

Cifs SuperUser Table Generation: 0

               Locked Ref Count: 0

                     Info Flags: 1

          Alternative Key Count: 0

        Additional Buffer Count: 1

                Allocation Time: 0 ms

                      Hit Count: 0 ms

                   Locked Count: 0 ms

Windows Creds:

        Flags: 695

        Primary Group: S-1-5-21-3413584004-3312044262-250399859-513

        Domain 0 (S-1-5-21-3413584004-3312044262-250399859):

                Rid 0: 500

                Rid 1: 572

                Rid 2: 519

                Rid 3: 518

                Rid 4: 512

                Rid 5: 520

                Rid 6: 1157

                Rid 7: 513

        Domain 1 (S-1-5-32):

                Rid 0: 544

                Rid 1: 545

        Domain 2 (S-1-1):

                Rid 0: 0

        Domain 3 (S-1-5):

                Rid 0: 11

                Rid 1: 2

Unix Creds:

        Flags: 0

        Domain ID: 0

        Uid: 0

        Gid: 0

        Additional Gids:

                Gid 0: 0

To age out the cache:

::*> diag nblade credentials flush -vserver flexvol

FlushCredStore succeeded flushing 3 entries

::*> diag nblade credentials show -vserver flexvol -unix-user-name root

Getting credential handles.

Error: command failed: RPC call to SecD failed. RPC: "cred store: not found".  Reason: "".

This cache is not currently configurable from the cluster shell. RFE 825687 was filed to add this functionality.

bsnyder27
8,923 Views

That's what I was looking for.  I also came across this eventually, but it didn't help with being able to reproduce the noted issue I've been seeing.

Thanks for supplying this detail of information though.  Maybe it will be useful for folks to reference.

parisi
8,923 Views

You mentioned an "odd behavior"...

Is this regarding case 2004909371? Looks like it, judging from the case notes. I suppose you're Barry?

I mentioned to the case owner that there is a way to adjust the nblade cred cache timeout value. Did you ever attempt to do that?

I'll send you an email with the steps on how to do that.

Public