Skip to main content
NetApp Knowledge Base

After AD reorganization the DACLs changed to SID resulting in Access Denied

  1. Last updated
  2. Save as PDF
Views:
179
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • Active Directory (AD)
  • CIFS/SMB

Issue

  • After AD server reorganization, users are unable to access CIFS shares and the DACL display in the file-directory show output changed to SID.
  • Example:

3/16/2016 10:58:22  user-01  DEBUG   secd.unexpectedFailure: vserver (vserver_1) Unexpected failure. Error: Lookup of CIFS account SID procedure failed
  [  3 ms] Using a cached connection to user-6.naslab.local
  [     4] Could not find Windows SID 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx'
**[     5] FAILURE: SID lookup failed
3/16/2016 10:56:19  user-01   DEBUG   secd.unexpectedFailure: vserver (vserver_1) Unexpected failure. Error: Lookup of CIFS account SID procedure failed
  [  2015] Successfully connected to 10.61.92.xxx:445 using TCP
  [  2037] Successfully authenticated with DC user-6.naslab.local
  [  2046] Could not find Windows SID 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx'
**[  2046] FAILURE: SID lookup failed

  • Security trace displays the following:

                              Protocol: cifs
                Volume : -
                Share: SHARENAME
                Path: /<path>/file.pdf
                Win—User: DOMAIN\user123
                UNIX-user: root
                Session-ID: 999999999999999999
NODEEXAMPLE-1 1 Security Style: NTFS and   Access is denied. The
                NT ACL                     requested permissions are not
                                           granted by the ACE while
                                           opening existing file or
                                           directory. Access is not
                                           granted for: "Read Control",
                                           "Read Attributes",
                                           "Read EA", "Read"

  • Below error is seen when vserver security file-directory show -vserver <> -path <> is run.

                Vserver: VSERVER 
              File Path: /volume/<path>/file.pdf 
     File I node Number: 10101010
         Security Style: ntfs
       Effective Style : ntfs
        DOS Attributes : 20 
 DOS Attributes in Text: ---A---- 
Expanded Dos Attributes: — 
           UNIX User Id: 65534 
          UNIX Group Id: 65534
         UNIX Mode Bits: 777 
UNIX Mode Bits in Text : rwxrwxrwx 
                  ACLs : NTFS Security Descriptor
                         Control:Ox8808 
                         Owner:DOMAIN\user123 
                         Group:DOMAIN\Domain Users 
                         DACL - ACEs 
                            ALLOW-S-1-5-21-0000000000-0000000000-0000000000-512-Ox1f01ff- (Inherited) 
                            ALLOW-S-1-5-21-0000000000-0000000000-0000000000-1106-Ox1301bf- (Inherited)  

Vserver: VSERVER(internal ID: 3) 

Lookup of CIFS account SID procedure succeeded 
   [0 ms] Using a cached connection to name.example.com 
   [25] Could not find Windows SID 
   's-1-5-21-0000000000-0000000000-0000000000-512' 

Vserver: VSERVER(internal ID: 3) 

Lookup of CIFS account SID procedure succeeded 
   [0 ms] Using a cached connection to name.example.com 
   [25] Could not find Windows SID 
   's-1-5-21-0000000000-0000000000-0000000000-1106'

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.