#Unix permissions and trusted domains

I am attempting to configure an SVM in one domain to allow users in another trusted domain access to NFS volumes. I have LDAP working for the home domain and I have added trusted domains via:

vserver cifs domain name-mapping-search add

And confirmed their addition via:

vserver cifs domain trusts show

However, "vserver services access check authentication show-creds" still fails for users in the trusted domain.

I want to avoid using one-to-one name-mapping on the SVM as it would be a nightmare to maintain.

Has anyone had any success with getting this to work in their environment?

Nobody from NetApp have an answer here? Should vserver services access check work across trusted domains?

To new it sounds like cifs is being used for LDAP? For nfs there should be an LDAP client. Maybe that needs a little attention?

Is there an error when running show-creds for users from trusted domains, or is the Windows to UNIX name mapping not working (mapping to the Default UNIX User like "pcuser")?

I have not done any LDAP configuration specifically for NFS, but both win and unix user lookups work for the home domain. I'll have to do a bit of digging into the idea of LDAP for NFS.

Update: After a bit of digging I haven't found any sort of documentation related to LDAP specific to NFS. Everything that I have found indicates that there is one LDAP configuration for an SVM which is used for everything.

I'm not sure that mapping Windows user names to a default Unix user is what I'd want here. That sounds like it would break the usefulness of unix-permissions on the volumes.

I wasn't suggesting that you have them map to the Default UNIX User, I am just trying to understand your issue in order to help determine the next steps.

Ah, I misunderstood. Thank you.
I have tried doing a win-to-unix name mapping of a single user account, but that did not give me any positive results from the "vserver services access check".

Sorry to ask the same question again, but does the "vserver services access-check authentication show-creds" command error when you run it for Windows users from a trusted domain? For your LDAP client configuration, are you using the Active Directory Domain option for the home domain, or do you all use a third-party LDAP implementation? It may be best to get a Support case created, as this can go on for a little bit without direct access to the system and/or more details. Otherwise, you can also review TR-4835: How to configure LDAP in ONTAP - Multiprotocol NAS identity management @ https://www.netapp.com/pdf.html?item=/media/19423-tr-4835.pdf

Thank you for your response. We are able to able to successfully obtain win-name information from a user in a trusted domain if we use the format "username@domain". However, that same check fails when looking for unix-user information for the same user. We have a case open with NetApp support and we are digging into the aforementioned TR-4835, but thus far we have not found an answer.