RE: Windows-to-unix usermapping through LDAP not working: RESULT_ERROR_SECD_CONFIGURATION_NOT_FOUND
Thanks Filip.
I’d suggest opening a case and getting a bug filed.
From: Filip Sneppe [mailto:filip.sneppe@gmail.com] Sent: Friday, October 6, 2017 2:02 AM To: Parisi, Justin Justin.Parisi@netapp.com Cc: toasters@teaparty.net Subject: Re: Windows-to-unix usermapping through LDAP not working: RESULT_ERROR_SECD_CONFIGURATION_NOT_FOUND
Hi Justin,
Thanks for taking the time for replying to this.
To answer your question, I specified the SVM.
But based on your comment that it should work to use the built-in schemas, I did a little more testing, and I think the problem is related to the MS-AD-BIS schema that was added in 9.1. In my experience, it cannot be used directly. Below is an example with:
- direct use of the MS-AD-BIS schema (doesn't work) - use of an unmodified copy of the MS-AD-BIS schema (works) - direct use of another built-in schema, AD-IDMU (also works)
(in the output below, I search-replaced the clustername, the domainname, and the username)
This is on 9.1P8.
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch databases but no valid LDAP configuration was found for Vserver "nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver services name-service ns-switch" command. Configuring "LDAP" as a source in the ns-switch setting when there is no valid configuration can cause protocol access issues.
cluster::*> ldap client create -client-config DOESNTWORK -vserver nfscorpprd01 -ad-domain prod.justacompany.behttp://prod.justacompany.be -schema MS-AD-BIS -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap create -vserver nfscorpprd01 -client-config DOESNTWORK
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'pcuser' =====
cluster::*> ldap client schema copy -schema MS-AD-BIS -new-schema-name COPY-OF-MS-AD-BIS -vserver nfscorpprd01
cluster::*> ldap client create -client-config WORKS -vserver nfscorpprd01 -ad-domain prod.justacompany.behttp://prod.justacompany.be -schema COPY-OF-MS-AD-BIS -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch databases but no valid LDAP configuration was found for Vserver "nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver services name-service ns-switch" command. Configuring "LDAP" as a source in the ns-switch setting when there is no valid configuration can cause protocol access issues.
cluster::*> ldap create -vserver nfscorpprd01 -client-config WORKS
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'johndoe'
=====
cluster::*> ldap client create -client-config ALSOWORKS -vserver nfscorpprd01 -ad-domain prod.justacompany.behttp://prod.justacompany.be -schema AD-IDMU -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch databases but no valid LDAP configuration was found for Vserver "nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver services name-service ns-switch" command. Configuring "LDAP" as a source in the ns-switch setting when there is no valid configuration can cause protocol access issues.
cluster::*> ldap create -vserver nfscorpprd01 -client-config ALSOWORKS
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'johndoe'
Best regards, Filip
Hi,
Just as a follow-up to my mails from a month ago, this has been acknowledged as burt 1089872. https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1089872
Best regards, Filip
On Sat, Oct 7, 2017 at 4:12 AM, Parisi, Justin Justin.Parisi@netapp.com wrote:
Thanks Filip.
I’d suggest opening a case and getting a bug filed.
*From:* Filip Sneppe [mailto:filip.sneppe@gmail.com] *Sent:* Friday, October 6, 2017 2:02 AM *To:* Parisi, Justin Justin.Parisi@netapp.com *Cc:* toasters@teaparty.net *Subject:* Re: Windows-to-unix usermapping through LDAP not working: RESULT_ERROR_SECD_CONFIGURATION_NOT_FOUND
Hi Justin,
Thanks for taking the time for replying to this.
To answer your question, I specified the SVM.
But based on your comment that it should work to use the built-in schemas, I did a little more testing, and I think the problem is related to the MS-AD-BIS schema that was added in 9.1. In my experience, it cannot be used directly. Below is an example with:
direct use of the MS-AD-BIS schema (doesn't work)
use of an unmodified copy of the MS-AD-BIS schema (works)
direct use of another built-in schema, AD-IDMU (also works)
(in the output below, I search-replaced the clustername, the domainname, and the username)
This is on 9.1P8.
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch databases but no valid LDAP configuration was found for Vserver "nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver services name-service ns-switch" command. Configuring "LDAP" as a source in the ns-switch setting when there is no valid configuration can cause protocol access issues.
cluster::*> ldap client create -client-config DOESNTWORK -vserver nfscorpprd01 -ad-domain prod.justacompany.be -schema MS-AD-BIS -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap create -vserver nfscorpprd01 -client-config DOESNTWORK
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'pcuser'
=====
cluster::*> ldap client schema copy -schema MS-AD-BIS -new-schema-name COPY-OF-MS-AD-BIS -vserver nfscorpprd01
cluster::*> ldap client create -client-config WORKS -vserver nfscorpprd01 -ad-domain prod.justacompany.be -schema COPY-OF-MS-AD-BIS -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch databases but no valid LDAP configuration was found for Vserver "nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver services name-service ns-switch" command. Configuring "LDAP" as a source in the ns-switch setting when there is no valid configuration can cause protocol access issues.
cluster::*> ldap create -vserver nfscorpprd01 -client-config WORKS
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'johndoe'
=====
cluster::*> ldap client create -client-config ALSOWORKS -vserver nfscorpprd01 -ad-domain prod.justacompany.be -schema AD-IDMU -bind-as-cifs-server true -min-bind-level simple -base-dn "DC=prod,DC=justacompany,DC=be"
cluster::*> ldap delete -vserver nfscorpprd01
Warning: "LDAP" is present as one of the sources in one or more ns-switch databases but no valid LDAP configuration was found for Vserver "nfscorpprd01". Remove "LDAP" from ns-switch using the "vserver services name-service ns-switch" command. Configuring "LDAP" as a source in the ns-switch setting when there is no valid configuration can cause protocol access issues.
cluster::*> ldap create -vserver nfscorpprd01 -client-config ALSOWORKS
cluster::*> diag secd name-mapping show -node cluster-01 -vserver nfscorpprd01 -direction win-unix prod\johndoe
ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.
'prod\johndoe' maps to 'johndoe'
Best regards,
Filip
-
Filip Sneppe -
Parisi, Justin