NFS access denied due to invalid name mapping after upgrading to ONTAP 9.12.1+
Applies to
- ONTAP 9.12.1 and later
- NFS access(NTFS sec style volumes), CIFS access(NTFS or Unix sec style)
- CIFS Local Users and Groups
Issue
- After upgrading to ONTAP 9.12.1 and later user is denied access when mounting or accessing a directory that was previously accessible
- Security trace indicates:
Access is denied because the UNIX user could not be mapped to a valid NT user while reading the user's access rights on an object.
- One of the volumes in the path to the target volume is NTFS security style, this may include the root volume
::> vol show -vserver svm1 -volume svm1_root -fields security-style
vserver volume security-style
------------- ------------------ --------------
svm1 svm1_root ntfs
- The Unix account that is being denied access is explicitly mapped to a local Windows account
::> vserver name-mapping show -vserver svm1 -direction unix-win
Vserver: svm1
Direction: unix-win
Position Hostname IP Address/Mask
-------- ---------------- ----------------
1 - - Pattern: root
Replacement: SVM1\\Administrator
- The local account is disabled, this is the default for the preconfigured CIFS local-user "Administrator"
::> local-user show -fields is-account-disabled
(vserver cifs users-and-groups local-user show)
vserver user-name is-account-disabled
------------- ------------------- -------------------
svm1 SVM1\Administrator true
- EMS logs:
secd.nfsAuth.noCifsCred:error]: vserver (SVM) NFS authorization cannot retrieve CIFS credentials.
Error: Get user credentials procedure failed
[ 0 ms] Determined UNIX id 0 is UNIX user 'root'
[ 0] UNIX user 'root' mapped to Windows user 'SVM\administrator'
[ 0] Using cached 'SVM\administrator' SID mapping. **
[ 0] FAILURE: Account is disabled for local user 'Administrator'
[ 0] Could not get credentials for Windows user 'administrator' or SID 'S-1-5-21-xxxxx'