Solved: Re: Did Name Mapping (Kerberos to UNIX) changes between Ontap 8.3 and 9.X ?

MrBenjamin · ‎2016-12-02

Hi,

We are testing an upgrade to Ontap 9.0 & 9.1rc from Ontap 8.3;

This name mapping works in Ontap 8.3:

Kerberos to UNIX:

Pattern: (.+)\$@DOMAIN.COM Replacement: nfsuser

This name mapping doesn't work in Ontap 9.x:

Kerberos to UNIX:

Pattern: (.+)\$@DOMAIN.COM Replacement: nfsuser

This is the error from my netapp:

12/2/2016 15:19:23 MYNODE ERROR secd.nfsAuth.problem: vserver (nfsv4) General NFS authorization problem. Error: RPC accept GSS token procedure failed

[ 24 ms] Acquired NFS service credential for logical interface 1027 (SPN='nfs/nfsv4.domain.com@DOMAIN.COM').

[ 31] GSS_S_COMPLETE: client = 'MYCOMPUTER$@DOMAIN.COM'

[ 32] Trying to map SPN 'MYCOMPUTER$@DOMAIN.COM' to UNIX user 'MYCOMPUTER$' using implicit mapping

[ 37] Entry for user-name: MYCOMPUTER$ not found in the current source: FILES. Ignoring and trying next available source

[ 48] Successfully connected to ip 1.1.1.1 port 389 using TCP

[ 3063] LDAP search for the "uid, uidNumber, gidNumber, unixUserPassword, name, unixHomeDirectory, loginShell" attribute(s) within base "dc=domain,dc=com" (scope: 2) using filter "(&(objectClass=User)(uid=MYCOMPUTER$))" failed with error: Timed out

[ 3063] Additional info:

[ 3064] Source: LDAP unavailable. Entry for user-name:MYCOMPUTER$ not found in any of the available sources

[ 3064] Unable to map SPN 'MYCOMPUTER$@DOMAIN.COM'

**[ 3064] FAILURE: Unable to map Kerberos NFS user 'MYCOMPUTER$@DOMAIN.COM' to appropriate UNIX user

[ 3065] Failed to accept the context: The routine completed successfully (minor: Unknown error). Result = 6916

Note: this one works on the Ontap 9:

Kerberos to UNIX:

Pattern: (.+)@DOMAIN.COM Replacement: nfsuser

Though, I do not want all the domain krb users mapped to nfsuser only MACHINESHORTNAME$@DOMAIN.COM

Additionally, my LDAP translations are working:

diag secd authentication translate -node MYNODE -vserver NFS4  -unix-user-name MYUSERNAME
12345

Also, is there an easier way to test krb like unix ids?

diag secd authentication translate -node MYNODE -vserver NFS4  -unix-user-name MYUSERNAME

Thanks in advance.

Ben

MrBenjamin · ‎2016-12-15

for the sake for completion: this issue was address in: (1041909) and fixed in Data ONTAP 9.1RC2.

View solution in original post

parisi · ‎2016-12-05

What's probably happening here is that the name mapping is trying to use the name without the DOMAIN.COM appended. That's why it can't seem to find it.

I'd say change the rule (or add a 2nd rule) to be (.+)\$ (without the @DOMAIN.COM portion)

It may be that the changes in 8.3.2 to support asymmetric name mappings caused this. See page 66 of TR-4073 for details of those.

http://www.netapp.com/us/media/tr-4073.pdf

I'd suggest opening a support case either way. If the above fixes the issue, we need to call out the default behavior in docs and file a bug.

If the above doesn't work, a support case can help you get to the bottom of this and file a bug if necessary.

MrBenjamin · ‎2016-12-06

Thanks Justin; unfortunately adding another (.+)\$ name mapping rule didn’t fix the issue; I will open a support case and reference what you mentioned.

BTW: your (Secure Unified Authentication for NFS Kerberos, NFSv4, and LDAP in Clustered Data ONTAP) document save us lots of time setting up krb5 in our nfs environment. Thank you 🙂

MrBenjamin · ‎2016-12-15

for the sake for completion: this issue was address in: (1041909) and fixed in Data ONTAP 9.1RC2.