ONTAP Discussions

NDMP backup of vFiler in different AD domain

moncsko
8,319 Views

Hi All,

IHAC who is looking to do NDMP backups of volumes on a vFiler that is in a different AD domain than the physical filer (vfiler0). The challenge has been authenticating to the backup server, which is a member of the same AD domain as the vFiler being backed up. Since NDMP dumps can only be done from the context of vfiler0, the authentication fails. There is no trust relationship between the two AD domains.

Does anyone have any experience in getting this to work, or if not, could suggest a feasible alternative for backing up these volumes? Any input would be greatly appreciated.

Thanks.

Brian Moncsko

1 ACCEPTED SOLUTION

scottgelb
8,319 Views

What account are you authenticating with for NDMP?  You could create a local user account on vfiler0 "useradmin user add ndmpuser -g "backup operators" , set a password, then for the ndmp software to authenticate use the "ndmpuser" user then the output of "ndmpd password ndmpuser".. The ndmp authentication will be separate from the domain with the local user.  You could also authenticate the root account with the root password (no need for ndmpd password for the root user).

View solution in original post

10 REPLIES 10

scottgelb
8,320 Views

What account are you authenticating with for NDMP?  You could create a local user account on vfiler0 "useradmin user add ndmpuser -g "backup operators" , set a password, then for the ndmp software to authenticate use the "ndmpuser" user then the output of "ndmpd password ndmpuser".. The ndmp authentication will be separate from the domain with the local user.  You could also authenticate the root account with the root password (no need for ndmpd password for the root user).

furqan_ghani
8,266 Views

Hi Scott,

I have a bit strange issue which is stopping me to configure vfiler.

In my customer environment they are using very complex password for the root user. And whenever I tried to create the vfiler using the default root id/password it throws following error.

-> Check if remote host is reachable or SSL is enabled on it. If the command is still failing then check for proper login credentials.

So in order to narrow down the problem I have created another user "vfadmin" and used a non complex password which works fine for me and I was able create, and setup DR with failover/failback operation using the same user.

Question:

Do you know if there is a limitation on vfiler password policy? This is bit of strange problem.

Quickest answer is highly appreciable.

Best Regards,

Zearik

scottgelb
8,266 Views

Newer ontap doesn't create root In the vFiler. If you use a non complex password then use passed to change it to complex it throws that error? Sounds like a bug.

Is it in the vFiler or vfiler0 for the user? Sounds like the vFiler

Sent from my iPhone 5

furqan_ghani
8,266 Views

i am using ONTAP 8.1-7mode and it asks to create root user during vfiler create wizard.  Interesting point is this new vfiler root user is also not accepting the complex password.

This is all happening with the nondefault vfiler. vfiler0 is working fine with the complex password letters

rbala
8,266 Views

Hi Ghani,

   As per the doc, vfiler(other than vfiler0 root)root also required an encrypted
password what you get from by runing “ndmpd password user”.

I would like to understand what you mean by complex password, whether it is a
ndmpd password output? Please confirm.

  Excerpts from the man page:

  Ndmpd password [ username ]

  Displays an NDMP specific password
for any existing Data ONTAP non-root user account. Starting with Data ONTAP
6.4, NDMP allows the non-root user login to NDMP server and perform the NDMP
backup and NDMPCOPY operations. In the case of a non-default vfiler the command
must be run in the vfiler context and will display the NDMP specific password
for all accounts on the vfiler including root. At NDMP login, the server
authenticates the user name and the corresponding NDMP specific password to
grant access to the user. However, the root login authentication process on the
default vfiler remains the same. There is no NDMP specific password for root
for the default vfiler. Based on the way we create the NDMP specific password
that any change to a Data ONTAP administrative user password will invalidate
the associated NDMP specific password.

Thanks,

Bala

furqan_ghani
8,266 Views

Hi Bala,

My question is relatively different then the NDMP.

I am facing a problem where I was able to create a vfiler and protect that at DR using credential with noncomplex password means the password contains only letter and didgits and none of the special character . However if I am using the complex password then vfiler DR setup command is throwing following error.

-> Check if remote host is reachable or SSL is enabled on it. If the command is still failing then check for proper login credentials.


This behavior is exhibiting the limitation of vfiler password support of special character, which I have concluded is not accepting the complex password.

If you know about such limitation kindly explain.

scottgelb
8,266 Views

VFiler dr and migrate commands use vfiler0 credentials. The mirror and authentication of those commands don't use a vFiler user outside of vfiler0.

Sent from my iPhone 5

furqan_ghani
8,266 Views

Oh yes thats the right point, I can recall, that I have used another user created on vfiler0 with a simple passowrd and it was working fine with vfiler dr command.

But the question is still there.

Why the--> vfiler dr configure -c secure -l root:P@ssw054d#   <--     just cant work. However the  same command --> vfiler dr configure -c secure -l root:passw0rd <--works perfectly fine.

rbala
6,256 Views

Hi Ghani,

Sorry, what I mention in previous email for NDMP authentication
not for vfiler dr configure.

  

Thanks,

Bala

rbala
8,266 Views

Hi,

It is nothing to do with AD domain authentication, use Data ONTAP local user account as Scottgelb suggested.

Also, while adding the vFiler into NBU client list, authenticate with NDMP encrypted password,

You may get an error like "Unable to validate the filer wide credentials, NDMP failed to verify host(58)"  if you authenticate using clear text password.

Run following command in Data ONTAP CLI and use the encrypted password for NBU NDMP authentication.

NetAppStor> ndmpd password administrator
password hSNAg0rQEVlRA6fI

I hope this helps you.

Thanks,

Bala

Public