Addendum: the nblade credentials command is not the command to use. Use the ones noted in the TR. ________________________________ From: Parisi, Justin Justin.Parisi@netapp.com Sent: Thursday, August 19, 2021 1:42:28 PM To: Rue, Randy randyrue@gmail.com; Toasters toasters@teaparty.net Subject: Re: wedged updates to changes to users' group memberships
Check TR-4835. There is a section on name service caches and how to clear them. ________________________________ From: Toasters toasters-bounces@teaparty.net on behalf of Rue, Randy randyrue@gmail.com Sent: Thursday, August 19, 2021 1:10:33 PM To: Toasters toasters@teaparty.net Subject: Re: wedged updates to changes to users' group memberships
NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
OK, cleared up two config glitches in case they were a factor:
1) removed the LDAP config from the cluster itself.
2) The SVM was set for anonymous LDAP binds (we allow those on our LDAP servers) but also had a user set and with no password. Tried to remove the user but System Manager insisted on having something there. Changed auth to Simple and set the PW. Scary, as this is our prod system. Took the settings and we still appear to be authenticating.
So we're still stuck on the original issue and have a prominent user unable to work and facing a deadline/
Calling NetApp but would be grateful for any guidance.
Randy
On 8/19/2021 9:20 AM, Rue, Randy wrote:
An update.
We've realized that the cluster itself is configured for LDAP, and set to bind anonymously using invalid LDAP credentials. The SVM appears to be correctly configured for LDAP. Is it possible the two configs are conflicting?
Randy
On 8/19/2021 8:59 AM, Randy Rue wrote:
Hello All,
We recently cut over from a FAS to an AFF running 9.8P1. Serving CIFS and NFSv3 with authentication tied to openLDAP.
When we change group memberships in LDAP the filer fails to see the change in group memberships for some varying amount of time.
We had been able to use the flush command to force the filer to update it's user/group membership lists. This was changed in our current version, 9.8P1, and we have switched to using the replacement command.
This used to work: set diag; diag nblade credentials flush -node $NODE -vserver $VSERVER -unix-user-name $USER
We think this should be the new command but does not seem to perform as expected: set -privilege advanced -confirmations off; credentials flush -node $NODE -vserver $VSERVER -unix-user-name $USER
The new flush command does not seem to perform with any reliability. It's worth noting that we have many groups so have set the group limit to 512 as described here: https://library.netapp.com/ecmdocs/ECMP1610208/html/GUID-1D3D018C-DF37-4C87-...
As of this writing, we have 2 users whose group memberships were updated over 24 hours ago and they are still unable to access the relevant files over CIFS. We were able to demonstrate that the user can in fact access those files over NFS using the `newgrp` command to select the new group and access the files however after dropping the `newgrp` identity, we were once again denied access to the location.
Are we missing something?
Grateful for any help...
Randy Rue in Seattle
_______________________________________________ Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters