Hi,
Just as a follow-up to my mails from a month ago, this has been acknowledged as burt 1089872. https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1089872
Best regards, Filip
On Sat, Oct 7, 2017 at 4:12 AM, Parisi, Justin Justin.Parisi@netapp.com wrote:
Thanks Filip.
I’d suggest opening a case and getting a bug filed.
*From:* Filip Sneppe [mailto:filip.sneppe@gmail.com] *Sent:* Friday, October 6, 2017 2:02 AM *To:* Parisi, Justin Justin.Parisi@netapp.com *Cc:* toasters@teaparty.net *Subject:* Re: Windows-to-unix usermapping through LDAP not working: RESULT_ERROR_SECD_CONFIGURATION_NOT_FOUND
Hi Justin,
Thanks for taking the time for replying to this.
To answer your question, I specified the SVM.
But based on your comment that it should work to use the built-in schemas, I did a little more testing, and I think the problem is related to the MS-AD-BIS schema that was added in 9.1. In my experience, it cannot be used directly. Below is an example with:
direct use of the MS-AD-BIS schema (doesn't work)
use of an unmodified copy of the MS-AD-BIS schema (works)
direct use of another built-in schema, AD-IDMU (also works)
(in the output below, I search-replaced the clustername, the domainname, and the username)
This is on 9.1P8.
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch databases but no valid LDAP configuration was found for Vserver "nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver services name-service ns-switch" command. Configuring "LDAP" as a source in the ns-switch setting when there is no valid configuration can cause protocol access issues.
cluster::*> ldap client create -client-config DOESNTWORK -vserver nfscorpprd01 -ad-domain prod.justacompany.be -schema MS-AD-BIS -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap create -vserver nfscorpprd01 -client-config DOESNTWORK
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'pcuser'
=====
cluster::*> ldap client schema copy -schema MS-AD-BIS -new-schema-name COPY-OF-MS-AD-BIS -vserver nfscorpprd01
cluster::*> ldap client create -client-config WORKS -vserver nfscorpprd01 -ad-domain prod.justacompany.be -schema COPY-OF-MS-AD-BIS -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch databases but no valid LDAP configuration was found for Vserver "nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver services name-service ns-switch" command. Configuring "LDAP" as a source in the ns-switch setting when there is no valid configuration can cause protocol access issues.
cluster::*> ldap create -vserver nfscorpprd01 -client-config WORKS
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'johndoe'
=====
cluster::*> ldap client create -client-config ALSOWORKS -vserver nfscorpprd01 -ad-domain prod.justacompany.be -schema AD-IDMU -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch databases but no valid LDAP configuration was found for Vserver "nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver services name-service ns-switch" command. Configuring "LDAP" as a source in the ns-switch setting when there is no valid configuration can cause protocol access issues.
cluster::*> ldap create -vserver nfscorpprd01 -client-config ALSOWORKS
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'johndoe'
Best regards,
Filip