Skip to main content

NetApp_Insight_2020.png 

NetApp Knowledgebase

CIFS shares inaccessible in clustered Data ONTAP 8.3.x

Views:
117
Visibility:
Public
Votes:
0
Category:
data-ontap-8
Specialty:
cifs
Last Updated:

Applies to

  • Clustered Data ONTAP 8.3
  • OnCommand System Manager (OCSM)

Issue

CIFS shares on the Storage Virtual Machine (SVM) might become inaccessible in the following scenario:
  • Newly-created SVMs on clustered Data ONTAP 8.3RC1
  • Post upgrade to clustered Data ONTAP 8.3 or later

Client attempts to mount a clustered Data ONTAP NFS SVM; however, after running the mount command, the client console hangs. Ctrl+C can exit the hang status, but the mount will fail. If the user waits for some time (more than 2 minutes), the client displays Connection timed out.

The following error messages are reported in the SECD logs:

ERR : Error: Acquire UNIX credentials procedure failed
ERR : [ 0 ms] Entry found for group-membership: pcuser using source: FILES
ERR : [ 29] Connecting to NIS server 172.16.29.220
ERR : **[ 31] FAILURE: nscc_conn_connect function returned error: Could not
connect to server
ERR : [ 32] No servers available for NIS, vserver: 3, domain: .
ERR : [ 32] Failed finding entry for group-membership: pcuser using source: NIS.
Returning failure
debug: Logged secd.nfsAuth.noUnixCreds to EMS { in
logEmsEventWithJournalForNfsAuthError()

All the three symptoms mentioned below might be reported in this scenario:
  1. The SVM NIS Server IP matches the Windows Active Directory Domain Controller IP.

    Microsoft "Server for NIS" services are NOT being used.

    ::> vserver services nis-domain show
    NIS
    Vserver Domain Active Server
    ------------- ------------------- ------ ------------------------------------
    SVM2 my.company true 172.16.29.220
    ::> vserver cifs domain discovered-servers show
    Node: node-01
    Vserver: SVM2
    Domain Name Type Preference DC-Name DC-Address Status
    --------------- -------- ---------- --------------- --------------- ---------
    my.company
    KERBEROS favored w2k12r2dc1 172.16.29.220 OK
    my.company
    MS-LDAP favored w2k12r2dc1 172.16.29.220 OK
    my.company

  2. The NS-Switch for the SVM will contain NIS in the group database.
    ::> vserver services name-service ns-switch show
    Source
    Vserver Database Order
    --------------- ------------ ---------
    SVM2 hosts dns, files
    SVM2 group files, nis
    SVM2 passwd files, nis
    SVM2 netgroup files, nis
    SVM2 namemap files

     
  3. Any SVM created using versions of OnCommand System Manager supporting Data ONTAP earlier than 8.3GA, where either only the NFS protocol or both the CIFS and NFS protocols are selected during SVM creation, with the default NIS settings unchanged, will result in the 'ns-switch' including NIS as a source for a group, password, and netgroup checks. The SVM will also be configured with the Microsoft Windows Active Directory Domain Controller IP address as the active NIS Server IP. As a result, after upgrading to clustered Data ONTAP 8.3RC1 or later, all CIFS shares might be inaccessible.

The Event log reports error messages such as the following:
12/19/2015 13:51:02 cm2552a-cn-01    WARNING       exports.anoncred.anonToCred: Cannot retrieve credentials for "-anon" of "0" on Vserver "vs1" on node cm2552a-cn-01.
12/19/2015 13:51:02 cm2552a-cn-01    WARNING       exports.anoncred.userToCred: Cannot retrieve credentials for user ID "0" on Vserver "vs1" on node cm2552a-cn-01.
12/19/2015 13:51:02 cm2552a-cn-01    WARNING       secd.nfsAuth.noUnixCreds: Vserver "vs1" cannot determine UNIX identity. Error: Acquire UNIX credentials procedure failed
  [  2 ms] Entry found for group-membership: root using source: FILES
  [     3] Connecting to NIS server 10.128.239.164
**[  3007] FAILURE: nscc_conn_connect function returned error: Could not connect to server
  [  3008] No servers available for NIS, vserver: 7, domain: .
  [  3008] Failed finding entry for group-membership: root using source: NIS. Returning failure
12/19/2015 13:51:02 cm2552a-cn-01    ERROR         secd.nis.connectFailure: vserver (vs1) could not make a connection over the network to NIS server (10.128.239.164) at address (10.128.239.164) and received error (Could not connect to server)

A packet trace will also confirm that the NIS server is not responding to the controller's queries.

1014869-1.jpg

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support