Thanks Filip.
I’d suggest opening a case and getting a bug filed.
From: Filip Sneppe [mailto:filip.sneppe@gmail.com
] Sent: Friday, October 6, 2017 2:02 AM
To: Parisi, Justin <Justin.Parisi@netapp.com>
Cc: toasters@teaparty.net
Subject: Re: Windows-to-unix usermapping through LDAP not working: RESULT_ERROR_SECD_CONFIGURATION_NOT_FOUND
Hi Justin,
Thanks for taking the time for replying to this.
To answer your question, I specified the SVM.
But based on your comment that it should work to use the built-in schemas, I did a little more testing, and I think the problem is related to the MS-AD-BIS schema that was added in 9.1. In my experience, it cannot be used directly. Below is an example with:
- direct use of the MS-AD-BIS schema (doesn't work)
- use of an unmodified copy of the MS-AD-BIS schema (works)
- direct use of another built-in schema, AD-IDMU (also works)
(in the output below, I search-replaced the clustername, the domainname, and the username)
This is on 9.1P8.
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch
databases but no valid LDAP configuration was found for Vserver
"nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver
services name-service ns-switch" command. Configuring "LDAP" as a
source in the ns-switch setting when there is no valid configuration
can cause protocol access issues.
cluster::*> ldap client create -client-config DOESNTWORK -vserver nfscorpprd01 -ad-domain prod.justacompany.be -schema MS-AD-BIS -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap create -vserver nfscorpprd01 -client-config DOESNTWORK
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'pcuser'=====
cluster::*> ldap client schema copy -schema MS-AD-BIS -new-schema-name COPY-OF-MS-AD-BIS -vserver nfscorpprd01
cluster::*> ldap client create -client-config WORKS -vserver nfscorpprd01 -ad-domain prod.justacompany.be -schema COPY-OF-MS-AD-BIS -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch
databases but no valid LDAP configuration was found for Vserver
"nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver
services name-service ns-switch" command. Configuring "LDAP" as a
source in the ns-switch setting when there is no valid configuration
can cause protocol access issues.
cluster::*> ldap create -vserver nfscorpprd01 -client-config WORKS
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'johndoe'
=====
cluster::*> ldap client create -client-config ALSOWORKS -vserver nfscorpprd01 -ad-domain prod.justacompany.be -schema AD-IDMU -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=
be"
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch
databases but no valid LDAP configuration was found for Vserver
"nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver
services name-service ns-switch" command. Configuring "LDAP" as a
source in the ns-switch setting when there is no valid configuration
can cause protocol access issues.
cluster::*> ldap create -vserver nfscorpprd01 -client-config ALSOWORKS
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'johndoe'
Best regards,
Filip