ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

vserver active-directory create RPC timeouts

BenCoughtry
‎2018-03-22 01:56 PM
3,966 Views

Hi all, I I'm trying to setup an AD connection in order to domain authenticate cluster admins and I have 2x CDOT 8.2.2 clusters which time out when on the command 'vserver active-directory create'.  CIFS is not licensed so I cannot use a CIFS vserver.  The commands I'm using (below) work perfectly on other clusters running newer versions of OnTap (9.1 or 9.2).  Since the same commands exist on 8.2.2 I'm assuming this is supposed to work, but not sure what the problem is.

 

After I run the command, AD logs confirm the connection without errors and in fact show the new account in the Computers OU.  If I run the command a second time OnTap tells me that the account already exists and asks if I want to reuse it, but then upon answering YES the command still times again with the same error.  Thus, I know the cluster is talking to the local domain controller and I don't know why it is failing.  Any advice would be appreciated - thanks!  See CLI output below:

 

 

 

san901-cluster::> domain-tunnel show
(security login domain-tunnel show)
Tunnel Vserver: ldap_svm

 

san901-cluster::> vserver active-directory create -vserver ldap_svm -domain xxx.xxxx -account-name san901-cluster

In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the
"xxxx" domain.

 

Enter the user name: xxxxx

Enter the password:

 

Warning: An account by this name already exists in Active Directory at CN=SAN901-CLUSTER,CN=Computers,DC=xxx,DC=xxxx
Ok to reuse this account? {y|n}: y

Error: command failed: Failed to create the Active Directory machine account "SAN901-CLUSTER". Reason: ad_machine_account_create: RPC: Timed out; ct = 0x826104800 rem_addr = 127.0.0.1:655.

 

san901-cluster::> vserver active-directory show
This table is currently empty.

0 Kudos
View By:
Tags (1)
2 REPLIES 2

BenCoughtry
‎2018-04-13 05:22 PM
3,855 Views

The answer to this appears to have been to create the vserver with the "-ns-switch ldap" flag via CLI.  I had previously created the vserver from the GUI and this setting defaulted to NIS, which explains why the account was added to AD but OnTap was unable to recieve the acknowledgement of success, and thus timed out.  I never had this problem doing the same with OnTap 9+.

 

I don't understand the ins and outs of why this worked, but AD authentication for cluster admins works great now and CIFS is still unlicensed.

 

Hopefully someone finds this helpful someday!  Cheers

0 Kudos

Sahana
NetApp
‎2018-04-22 09:48 PM
3,782 Views

Hi,

 

Refer KB https://kb.netapp.com/app/answers/answer_view/a_id/1027853/loc/en_US

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
0 Kudos
All Community Forums
Public