CIFS shares inaccessible in clustered Data ONTAP 8.3.x
Applies to
- Clustered Data ONTAP 8.3
- OnCommand System Manager (OCSM)
Issue
CIFS shares on the Storage Virtual Machine (SVM) might become inaccessible in the following scenario:
- Newly-created SVMs on clustered Data ONTAP 8.3RC1
- Post upgrade to clustered Data ONTAP 8.3 or later
Client attempts to mount a clustered Data ONTAP NFS SVM; however, after running the mount
command, the client console hangs. Ctrl+C can exit the hang status, but the mount will fail. If the user waits for some time (more than 2 minutes), the client displays Connection timed out
.
The following error messages are reported in the SECD logs:
ERR : Error: Acquire UNIX credentials procedure failed
ERR : [ 0 ms] Entry found for group-membership: pcuser using source: FILES
ERR : [ 29] Connecting to NIS server 172.16.29.220
ERR : **[ 31] FAILURE: nscc_conn_connect function returned error: Could not
connect to server
ERR : [ 32] No servers available for NIS, vserver: 3, domain: .
ERR : [ 32] Failed finding entry for group-membership: pcuser using source: NIS.
Returning failure
debug: Logged secd.nfsAuth.noUnixCreds to EMS { in
logEmsEventWithJournalForNfsAuthError()
All the three symptoms mentioned below might be reported in this scenario:
- The SVM NIS Server IP matches the Windows Active Directory Domain Controller IP.
Microsoft "Server for NIS" services are NOT being used.
::> vserver services nis-domain show
NIS
Vserver Domain Active Server
------------- ------------------- ------ ------------------------------------
SVM2 my.company true 172.16.29.220
::> vserver cifs domain discovered-servers show
Node: node-01
Vserver: SVM2
Domain Name Type Preference DC-Name DC-Address Status
--------------- -------- ---------- --------------- --------------- ---------
my.company
KERBEROS favored w2k12r2dc1 172.16.29.220 OK
my.company
MS-LDAP favored w2k12r2dc1 172.16.29.220 OK
my.company - The NS-Switch for the SVM will contain NIS in the group database.
::> vserver services name-service ns-switch show
Source
Vserver Database Order
--------------- ------------ ---------
SVM2 hosts dns, files
SVM2 group files, nis
SVM2 passwd files, nis
SVM2 netgroup files, nis
SVM2 namemap files
- Any SVM created using versions of OnCommand System Manager supporting Data ONTAP earlier than 8.3GA, where either only the NFS protocol or both the CIFS and NFS protocols are selected during SVM creation, with the default NIS settings unchanged, will result in the 'ns-switch' including NIS as a source for a group, password, and netgroup checks. The SVM will also be configured with the Microsoft Windows Active Directory Domain Controller IP address as the active NIS Server IP. As a result, after upgrading to clustered Data ONTAP 8.3RC1 or later, all CIFS shares might be inaccessible.
The Event log reports error messages such as the following:
12/19/2015 13:51:02 cm2552a-cn-01 WARNING exports.anoncred.anonToCred: Cannot retrieve credentials for "-anon" of "0" on Vserver "vs1" on node cm2552a-cn-01.
12/19/2015 13:51:02 cm2552a-cn-01 WARNING exports.anoncred.userToCred: Cannot retrieve credentials for user ID "0" on Vserver "vs1" on node cm2552a-cn-01.
12/19/2015 13:51:02 cm2552a-cn-01 WARNING secd.nfsAuth.noUnixCreds: Vserver "vs1" cannot determine UNIX identity. Error: Acquire UNIX credentials procedure failed
[ 2 ms] Entry found for group-membership: root using source: FILES
[ 3] Connecting to NIS server 10.128.239.164
**[ 3007] FAILURE: nscc_conn_connect function returned error: Could not connect to server
[ 3008] No servers available for NIS, vserver: 7, domain: .
[ 3008] Failed finding entry for group-membership: root using source: NIS. Returning failure
12/19/2015 13:51:02 cm2552a-cn-01 ERROR secd.nis.connectFailure: vserver (vs1) could not make a connection over the network to NIS server (10.128.239.164) at address (10.128.239.164) and received error (Could not connect to server)
A packet trace will also confirm that the NIS server is not responding to the controller's queries.