Skip to main content
NetApp Knowledge Base

Multiple SECD Panic events related to lookup of user from an unsupported Single Label Domain

Last Updated:

Applies to

  • ONTAP 9.x releases prior to ONTAP 9.3P1 and 9.4
  • Single Label Domain


Due to a software defect in ONTAP, when a CIFS lookup is being performed for a user from an unsupported Single Label Domain, SECD panics but is able to recover.  If the SECD panic occurs 10 times within a one-hour period, it causes the SECD process to go into a slow-restartable mode, meaning it will only restart after 10 minutes from the last panic event.  In situations such as this, authentication and/or authorization requests that need to be processed on that node can time out or fail due to the SECD process not being available for this period of time.

While performing a task such as migrating data from one location to another, where the destination is a CIFS share from a ONTAP 9.x cluster, SECD on the node that hosts the data LIF that the client's request is received on can panic with the below error when attempting a SetInfo Request to modify the ownership of a file to a user from an unsupported Single Label Domain.

CLUSTER::> event log show -messagename ucore.panicString
1/1/2017 01:01:01 CLUSTER-01   ERROR         ucore.panicString: 'secd: Received SIGSEGV (Signal 11) at RIP 0x801234567 accessing address 0x6a12345678 (pid 12345, uid 0, timestamp 1483250461)'

In reviewing the SECD logs themselves from that node, you will observe an error similar to the one below showing that there was an attempt to map the NetBIOS Domain Name observed for the user to its equivalent Active Directory Domain Name after performing a lookup on the SID was passed for the user in the SetInfo Request, and this is right before the Panic is encountered:

debug:  Calling LsaLookupSids2...  { in lookupSid() at src/utils/secd_cifs_utils.cpp:412 }
debug:  LsarLookupSids2 returned Result 0 with lsa result: 0x0  { in lookupSid() at src/utils/secd_cifs_utils.cpp:429 }
debug:  domainName from lookupSid: SLD  { in lookupSid() at src/utils/secd_cifs_utils.cpp:450 }
debug:  accountName from lookupSid: TESTUSER  { in lookupSid() at src/utils/secd_cifs_utils.cpp:458 }
info :  DC translates S-1-5-21-123456789-123456789-123456789-123456 to 'SLD\TESTUSER' { in getNameFromSid() at src/authorization/secd_cifs_authorization.cpp:567 }
debug:  Netbios domain 'SLD' is not an AD domain. Probably NT4  { in secdMapNetbiosDomainToADDomain() at src/domain_services/secd_domain_services.cpp:409 }


ERR  :  Cannot determine AD domain name for 'SLD' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1085 }
ERR  :  RESULT_ERROR_SECD_CANNOT_FIND_DOMAIN_MAPPING:6948 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1086


ERR  :  Could not get credentials for Windows user 'TESTUSER' or SID 'S-1-5-21-123456789-123456789-123456789-123456' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1129 }
ERR  :  RESULT_ERROR_SECD_CANNOT_FIND_DOMAIN_MAPPING:6948 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1648

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.