Failed to resolve the SID for the account named "domain/group" while adding security group to cifs share
Applies to
ONTAP 9
Issue
Error observed while adding Domain group/user to share ACL on storage:
::*> cifs share access-control create -share cifstest -user-or-group Test\group1234 -user-group-type windows -permission Full_Control
Error: command failed: Failed to resolve the security identifier (SID) for the account named "Test\group1234". Reason: Object name either does not exist or could not be resolved using the available servers. Check the event log for additional information.
EMS
may point to issues such as domain name service (DNS) not reachable to discover domain controller or domain contoller is not responding to request.
Wed Jan 08 01:05:20 -0100 [hostname: secd: secd.unexpectedFailure:debug]: vserver (vserver) Unexpected failure.
Error: Lookup of CIFS account name procedure failed
[ 5 ms] Failed to connect to 10.1.1.2 for DNS via Source Address 10.3.3.3: No route to host
[ 5] Failed to connect to 10.2.3.4 for DNS via Source Address 10.3.3.3: No route to host
[ 5] Failed to connect to 10.1.3.5 for DNS via Source Address 10.3.3.3: No route to host
**[ 5] FAILURE: Unable to contact DNS to discover domain controllers.
[ 5] Unable to make a connection (LSA:DOMAIN.COM), result: 6812
[ 5] Could not find Windows name 'DOMAIN\GROUP NAME'
[ 5] CIFS name lookup failed
4/5/2022 06:59:02 hostname: 02 ERROR secd.cifsAuth.problem: vserver (svm_euw4asv001clu) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.120.1.1
[ 0 ms] Login attempt by domain user 'EU\user1' using NTLMv2 style security
[ 2011] TCP connection to ip 10.5.38.39, port 445 failed: Operation timed out.
[ 2011] Unable to connect to NetLogon service on euiadvs01.eu.bm.net (Error: RESULT_ERROR_SPINCLIENT_UNABLE_TO_RESOLVE_SERVER)
[ 4019] TCP connection to ip 10.30.0.217, port 445 failed: Operation timed out.
[ 4019] Unable to connect to NetLogon service on grcorvs101.eu.bm.net (Error: RESULT_ERROR_SPINCLIENT_UNABLE_TO_RESOLVE_SERVER)
[ 6030] TCP connection to ip 10.30.0.220, port 445 failed: Operation timed out.
[ 6030] Unable to connect to NetLogon service on grcorvs001.eu.bm.net (Error: RESULT_ERROR_SPINCLIENT_UNABLE_TO_RESOLVE_SERVER)
[ 8041] TCP connection to ip 10.31.1.43, port 445 failed: Operation timed out.
[ 8041] Unable to connect to NetLogon service on nlrtmvs001.eu.bm.net (Error: RESULT_ERROR_SPINCLIENT_UNABLE_TO_RESOLVE_SERVER)
**[ 8041] FAILURE: Unable to make a connection (NetLogon:EU.BM.NET), result: 6942
[ 8041] CIFS authentication failed
[ 8041] Retry requested, but the retry window (7000 ms) has expired; giving up.
- Packet trace shows DC response is STATUS_NONE_MAPPED when storage sends lookup for group name.
No Source Destination Protocol String Info
2310 10.216.41.154 10.216.41.30 LSARPC naslab\group1234 lsa_LookupNames2 request
2314 10.216.41.30 10.216.41.154 LSARPC NASLAB lsa_LookupNames2 response, STATUS_NONE_MAPPED, Error: STATUS_NONE_MAPPED