Skip to main content
NetApp Knowledge Base

"Access denied" error seen by Windows clients as ONTAP maps users to pcuser instead of the appropriate UNIX user

  1. Last updated
  2. Save as PDF
Views:
1,934
Visibility:
Public
Votes:
5
Category:
ontap-9
Specialty:
nas
Last Updated:

 

Applies to

  • ONTAP 9
  • CIFS/SMB

Issue

  • "Access denied" error is seen when windows shares are accessed from a UNIX security-style volume.
  • Windows users get mapped to the default unix user (pcuser) instead of the appropriate UNIX user

cluster1::> set -privilege advanced

Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.
Do you want to continue? {y|n}: y

cluster1::*> vserver services access-check name-mapping show -node node1 -vserver vs1 -direction win-unix -name DOMAIN\user1

'DOMAIN\user1' maps to 'pcuser'

  • Below troubleshooting steps can be performed to isolate the issue:
    1. Verify whether the expected UNIX user's credentials (Ex: user1 for DOMAIN\user1) are resolved by the SVM

cluster1::*> vserver services access-check authentication translate -node node1 -vserver vs1 -unix-user-name user1
Vserver: vs1 (internal ID: 5)
Error: Acquire UNIX credentials procedure failed
[ 0 ms] Name 'user1' not found in UNIX authorization source LOCAL
[ 0] Could not get a user ID for name 'user1' using any NS-SWITCH authorization source
**[ 0] FAILURE: Unable to retrieve UID for UNIX user user1
Error: command failed: Failed to resolve user name to a UNIX ID. Reason: "SecD Error: user not found"

  1. If the error states "user not found", check which name services are being used for user lookup

cluster1::*> vserver services name-service ns-switch show -vserver atmn -database passwd
                     Vserver: atmn
Name Service Switch Database: passwd
   Name Service Source Order: files, nis

  1. If ns-switch only lists "files", then the UNIX user must be created locally, if the user is not present in unix-user show output
  2. To create the users or groups locally:

cluster1::*> unix-user create -vserver vs1 -user user1 -id 10 -primary-gid 20
cluster1::*> unix-group create -vserver vs1 -name user1 -id 20

  1. If ns-switch lists NIS or LDAP, check their configuration. Ensure that the UNIX user credentials can be retrieved from them

cluster1::*> nis-domain show -vserver vs1
cluster1::*> ldap client show -vserver vs1
cluster1::*> ldap client show -fields client-config

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.