"Failed to resolve the security identifier (SID) for the account named" when using name of AD group

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 666

Visibility:: Public

Votes:: 1

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9
SMB/CIFS
Active Directory

Issue

When trying to add Active Directory group named USofA to CIFS share ACL, ONTAP is unable to resolve the AD group's SID

::*> cifs share access-control create -share cifstest -user-or-group USofA -user-group-type windows -permission Full_Control
Error: command failed: Failed to resolve the security identifier (SID) for the account named "USofA". Reason: Object name either does not exist or could not be resolved using the available servers. Check the event log for additional information.

SECD log says that domain controller could not find group named USofA

Failure Summary:
Error: Lookup of CIFS account name procedure failed
  [  9 ms] Successfully connected to ip x.x.x.x, port 445 using TCP
  [    32] Successfully authenticated with DC hostname.domainname.local
  [    50] Encountered NT error (NT_STATUS_PIPE_NOT_AVAILABLE) for SMB command Create
  [   136] Successfully retried Smb2NtCreateAndXFile for pipe \lsarpc 9 times within 95201 usecs to overcome STATUS_PIPE_NOT_AVAILABLE error from DC hostname.domainname.local
  [   191] Could not find Windows name 'USofA'
**[    50] FAILURE: Unexpected state: Error 6763 at file:src/Commands/Commands.cpp func:CheckSmbStatusWrapper line:1129
**[   191] FAILURE: Error case not correctly journaled

Packet trace of traffic between ONTAP and domain controller shows that the DC's LSARPC reply is
- ```
lsa_LookupNames2 response, STATUS_NONE_MAPPED, Error: STATUS_NONE_MAPPED
```