#LDAP/AD Unix -> Windows name mapping

Am having difficulties with name mapping, I can touch a file as my userid: myorg\pcarlson2, but as sudo I can't. For testing I have root mapped to myorg\pcarlson2

Touch Test:

[pcarlson2@usback036 ~]$ touch /Volumes/CDtest/peter.txt
[pcarlson2@usback036 ~]$ sudo touch /Volumes/CDtest/sudo.txt
touch: cannot touch ‘/Volumes/CDtest/sudo.txt’: Permission denied

Netapp Config:

NA-PAT::> vserver services ldap check -vserver USFILE300 

                  Vserver: USFILE300
Client Configuration Name: myorg_svm
              LDAP Status: up
      LDAP Status Details: Connected to LDAP server "10.114.20.123".
   LDAP DN Status Details: All the configured DNs are available.

Storage Volume Config:

NA-PAT::vserver services name-service ldap client> show myorg_svm  

                                  Vserver: USFILE300
                Client Configuration Name: myorg_svm
                         LDAP Server List: -
            (DEPRECATED)-LDAP Server List: -
                  Active Directory Domain: myorg.my.org
       Preferred Active Directory Servers: 10.114.20.123, 10.114.22.212
         Restrict discovery to site scope: false
Bind Using the Vserver's CIFS Credentials: true
                          Schema Template: MS-AD-BIS
                         LDAP Server Port: 389
                      Query Timeout (sec): 6
        Minimum Bind Authentication Level: anonymous
                           Bind DN (User): -
                                  Base DN: DC=myorg,DC=my,DC=org
                        Base Search Scope: subtree
               Vserver Owns Configuration: true
      Use start-tls Over LDAP Connections: false
                  Client Session Security: none
                    LDAP Referral Chasing: false
                         Is LDAPS Enabled: false
                      Try Channel Binding: true

sorry for the multiple posts, discord is limiting me to 200- characters
mapping check:

NA-PAT::*> access-check name-mapping show -vserver USFILE300 -direction unix-win -name root
  (vserver services access-check name-mapping show)

'root' maps to 'MYORG\pcarlson2'

is this a CIFS or an NFS mount?

NFS mount

can you show the export policy rule, especially the superuser part? It should be superuser=sys if you want to be able to write as root

i.e. volume show -volume <volume-name> -fields policy and export-policy rule show -policyname <policyname> -fields rorule,rwrule,superuser

NA-PAT::*> volume show -volume CDtest -fields policy 
vserver   volume policy 
--------- ------ ------ 
USFILE300 CDtest cg     

NA-PAT::*> export-policy rule show -policyname cg -fields rorule,rwrule,superuser                                                    
vserver   policyname ruleindex rorule rwrule superuser 
--------- ---------- --------- ------ ------ --------- 
USFILE300 cg         1         any    any    none      
USFILE300 cg         2         krb5,krb5i,krb5p,ntlm 
                                      krb5,krb5i,krb5p,ntlm 
                                             none      
2 entries were displayed.

yeah, try setting superuser=sys

what does that do?

it is called root squashing. it needs to be disabled

thanks that worked

I dont know if this one is related or not, but I do have in my event log quite a few of these types messages:

secd.unexpectedFailure: Unexpected SecD failure in Vserver "Cluster". Details: Error: Ldap get list of groups for a user procedure failed **[ 0] FAILURE: 'Ldap' specified in ns-switch, but not configured [ 0] Failed to get group list for User name 'root'

yeah, that probably means you have the wrong LDAP schema in use

did you follow TR-4835 ? What schema are you using, RFC2307bis?

ah yes the schema seems correct

yeah, I followed that guide

Could be the root group (probably root/0) isn’t being found in Active Directory
You could try to set you gidnunber to 0 and try again. Might take a few for the caches to timeout

the problem is, I dont know the "trigger" for this error. We have hundreds of linux servers. I dont know if this is a user trying something with sudo, or if it's an autmated script somewhere, etc. The timestamps dont correlate with anything I am doing

What does your ns-switch look like?

ns-switch show -vserver <vserver>

Do you have a local root user with uid 0 and gid 1?

unix-user show -vserver <vserver>

Is the vserver attempting to lookup the root user by files, or ldap?

set adv -c of;getxxbyyy getpwbyname -node <node> -vserver <vserver> -username root -show-source true;set adm -c on

NA-PAT::*> ns-switch show -vserver NA-PAT 
  (vserver services name-service ns-switch show)
                               Source
Vserver         Database       Order
--------------- ------------   ---------
NA-PAT          hosts          files,
                               dns
NA-PAT          group          files,
                               ldap
NA-PAT          passwd         files,
                               ldap
3 entries were displayed.

NA-PAT::*> ns-switch show -vserver USFILE300
  (vserver services name-service ns-switch show)
                               Source
Vserver         Database       Order
--------------- ------------   ---------
USFILE300       hosts          dns,
                               files
USFILE300       group          ldap,
                               files
USFILE300       passwd         ldap,
                               files
USFILE300       netgroup       ldap,
                               files
USFILE300       namemap        ldap,
                               files
5 entries were displayed.

USFILE300 is a SVM, NA-PAT is the cluster name, given the error says "Cluster" I am assuming it's NA-PAT that it wants

NA-PAT::*> unix-user show -vserver NA-PAT
There are no entries matching your query.

NA-PAT::*> unix-user show -vserver USFILE300
               User            User   Group  Full
Vserver        Name            ID     ID     Name
-------------- --------------- ------ ------ --------------------------------
USFILE300      nobody          65535  65535
USFILE300      pcuser          65534  65534
USFILE300      root            0      1
3 entries were displayed.

NA-PAT::*> set adv -c of;getxxbyyy getpwbyname -node NAC60-001-A -vserver NA-PAT -username root -show-source true;set adm -c on

  (vserver services name-service getxxbyyy getpwbyname)
Source used for lookup: Files
pw_name: root
pw_passwd: $6$rounds=10000$<CUT>
pw_uid: 0
pw_gid: 0
pw_gecos: Charlie &
pw_dir: /root
pw_shell: /usr/sbin/nologin



NA-PAT::> set adv -c of;getxxbyyy getpwbyname -node NAC60-001-A -vserver USFILE300 -username root -show-source true;set adm -c on

  (vserver services name-service getxxbyyy getpwbyname)
Source used for lookup: Files
pw_name: root
pw_passwd: *
pw_uid: 0
pw_gid: 1
pw_gecos: 
pw_dir: 
pw_shell: 

yeah, the "Cluster" is strange in the error message. Have you configured domain credentials to log in to the cluster or something?

yes, and I can login to the cluster using my domain login

Do you have a ldap config for your cluster vserver?

ldap show -vserver NA-PAT

If not, you should be able to remove "ldap" from your cluster ns-switch.

NA-PAT::*> ldap show -vserver NA-PAT

                         Vserver: NA-PAT
       LDAP Client Configuration: NA-PAT

NA-PAT::*> ldap show
               Client
Vserver        Configuration
-------------- -------------
NA-PAT         NA-PAT
USFILE300      myorg_svm
2 entries were displayed.

NA-PAT::*> vserver services ldap check -vserver NA-PAT

                  Vserver: NA-PAT
Client Configuration Name: NA-PAT
              LDAP Status: up
      LDAP Status Details: Connected to LDAP server "10.189.16.19".
   LDAP DN Status Details: All the configured DNs are available.

NA-PAT::*> 

Is it common to configure LDAP at the admin vserver?

I found this link that states it's not a default config.

https://mysupport.netapp.com/site/article?lang=en&page=%2Fon-prem%2Fontap%2Fda%2FNAS%2FNAS-KBs%2FHow_to_configure_LDAP_Authentication_for_Cluster_Admin_SVM&type=howto