NAS Authentication Tips and FAQs

 

If you are attempting to run the auth config ads command, you might see a message like the following, if the nasadmin user does not have login access to the Appliance Controller.

Example:

net ads join failed :Failed to join domain: failed to lookup DC info for domain 'SomeLab.SOMEWHERE.COM' over rpc: Invalid workstation (E-5046)

This error indicates that the account used in the "auth config ads" command does not have log on access to the NAS server node. Default behavior of NAS authentication would allow log on access to the NAS server. This error indicates that the user account permissions must have been changed from the default behavior in order for this account to be denied access.

To fix the problem log in to the ADS server and change the permissions for the user account so it has log on access to the NAS server, and run the auth config ads command again (see Apply AD Authentication To NAS).

 

If you are enabling SID mapping in StorNext NAS and configuring ACLs for macOS environments, we recommend using the chmod +a | -a| =a command. Otherwise, the SIDs will incorrectly display as AAAABBBB-CCCC-DDDD-EEEE-FFFF82000004 when the ls -le command is used. See (Optional) Step 4: Enable SID Mapping for Full ACL Support.

 

The ONLY StorNext NAS-supported authentication method for Apple OD services is Kerberos. If a client is not bound to the Apple OD server or does not have the proper krb5.conf authentication, then it cannot access a share from the Apple OD server.

If your client's authentication methods are not correctly configured, you will see the following:

Example: Incorrect Authentication Method

$ kinit jsmith

jsmith@LOCAL's password:

kinit: krb5_get_init_creds: unable to reach any KDC in realm LOCAL, tried 0 KDCs

 

$ smbutil view smb://vsop-aod-nas.example.com

Password for vsop-aod-nas.example.com:

smbutil: server rejected the authentication: Authentication error

If your client's authentication is correctly configured, you will be able to access the share.

Example: Correct Authentication Method

$ kinit jsmith

jsmtih@LAB-AOD.EXAMPLE.COM's password:

 

smbutil view smb://vsop-aod-nas.example.com

Share Type Comments

-------------------------------

support Disk Quantum Support

aod-smb1 Disk

upgrade Disk Quantum Upgrade

IPC$ Pipe IPC Service ("Quantum SN-NAS")

 

In some cases, the user name that is used to configure Active Directory authentication for NAS may not have sufficient privileges. To resolve this issue, grant this user name SeDiskOperatorPrivilege.

  1. Log in to rootsh.
  2. At the prompt, run the following command to obtain the user's SID:

    wbinfo -n <'user'>

  3. At the prompt, enter the following command with the returned SID information to grant the user SeDiskOperatorPrivilege:

    net rpc rights grant -Usysadmin [SID-of-user] SeDiskOperatorPrivilege

  4. At the prompt, enter the password for the sysadmin account to approve rights.

    Example: Grant the SeDiskOperatorPrivilege to the sysadmin User

    root@k2 ~# wbinfo -n 'sysadmin'

    S-1-5-21-2500398869-2327988562-2535538314-500 SID_USER (1)

    root@k2 ~# net rpc rights grant -Usysadmin S-1-5-21-2500398869-2327988562-2535538314-500 SeDiskOperatorPrivilege

    10006

 

If you are using Microsoft Active Directory (AD) with the RFC2307 idmap to authenticate users, each Domain User must have a valid UID number and GID number to map to the user name and group name of the AD account.

If you do not define these attributes, the winbind daemon cannot identify the user name or group name, and in turn, cannot authenticate the user to NAS management services.

Comprehensive Failure Matrix

Category Example Error Messages Symptoms Likely Causes Quick Checks (CLI/UI) Recommended Fix
Authentication Failures Authentication Failed; Invalid Credentials; Kerberos Authentication Failed; Cannot Contact Domain Controller; Clock Skew Detected Login or bind fails before user lookup; no token/ticket Wrong password; expired/locked account; DC unreachable; time drift; DNS issues Check time sync (ntpstat/NTP status); DNS resolves DCs; Kerberos (kinit); account status in AD Correct credentials; unlock/reset account; restore DC connectivity; fix NTP/DNS
Directory Lookup / Winbind Failures User lookup failed; winbindd: failed to resolve SID; Domain not reachable; No such user; Failed to enumerate domain users User exists in AD but cannot be listed or resolved on NAS Winbind stopped/hung; DNS SRV issues; AD replication delay; trust problems wbinfo -u/-g; getent passwd <user>; service status of winbind; DNS SRV records for _ldap._tcp Restart/fix winbind; correct DNS; wait/force AD replication; repair domain trust
Identity Mapping (RFC2307) – E‑5060 prone Invalid User (E‑5060); User Not Found (E‑5060); Failed to map SID to UID; No UID available; UID/GID mapping failed Authentication may succeed, but user cannot be assigned to share/ACL Missing UID Number; missing Primary GID Number; duplicate UID/GID; wrong idmap backend (rid vs ad) Inspect ADUC Unix Attributes; wbinfo -i <user>; check idmap backend config Add UID Number and Primary GID Number; resolve duplicates; set correct idmap backend
Group Resolution Failures Group lookup failed; Primary GID not found; GID mapping failed; Unable to resolve group membership User resolves, but membership/primary group fails; ACL application fails Group missing RFC2307 attributes; duplicate GID; nested groups not returned wbinfo -r <userSID>; getent group <group>; verify group Unix attributes in AD Add/repair group Unix attributes; fix GID conflicts; enable nested group resolution if supported
Authorization / Permissions Failures Access Denied; Authorization Failed; User not permitted to perform this action; Failed to assign permissions User maps to UID/GID, but operation is blocked by policy/ACL User lacks role; wrong ACL inheritance; conflicting policies Check NAS RBAC/roles; review share/FS ACLs; effective permissions check Grant required role/group; correct ACLs; resolve policy conflicts
Share Creation / Filesystem Assignment Failures Unable to create share; Failed to set ACLs; Failed to assign owner; User does not exist on filesystem; Cannot apply permissions to user Share creation fails after user selection; ACLs/ownership not applied Partial mapping (UID yes / GID no); filesystem ACL incompatibility; parent directory permissions Verify user’s UID/GID; test setfacl/chown behavior; check parent dir ACLs Complete RFC2307 attributes; adjust filesystem ACL/ownership; fix inherited permissions
Additional Variants (Real‑world) User account disabled; Password expired; User object moved OU; Insufficient privileges to read attributes; SID history not mapped; Nested groups unresolved Intermittent or environment‑specific failures Admin/process changes in AD; insufficient read perms on attributes; complex group nesting Check account status, OU, and delegation; tokenGroups vs winbind listing; audit attribute permissions Re‑enable account; update OU/group; grant directory read on required attrs; flatten or enable nested group support

For more information, see Apply AD Authentication To NAS.

 

If you are using Microsoft AD to perform authentication and you specify a user without administrative privileges, you may receive an error message similar to the following:

"net ads join" failed :Failed to join domain: Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED) (E-5046)

  1. Verify you have entered in the user name correctly.
  2. Verify the user is an administrator or has administrative privileges. See Apply AD Authentication To NAS and View User and Group Information.

 

If you are using AD to perform authentication and you receive an error like the following, then the computer object that you are using may be incorrect.

Error Verifying Kerberos Config: password verify for administrator@ENG.EXAMPLE.COM failed: kinit: Preauthentication failed while getting initial credentials (E-7002)

Keep in mind that when you join an AD domain, both a computer object and a corresponding Kerberos key are generated for the computer in the AD database.

Resolution

  1. Verify that there is not a propagation issue with the computer object.
  2. Restrict AD authentication to a limited number of AD domain servers. See Apply AD Authentication To NAS.

If you are using LDAP to perform authentication and you enter an incorrect or invalid password, you may receive an error message similar to the following:

Error Verifying Kerberos Config: password verify for administrator@ENG.EXAMPLE.COM failed: kinit: Preauthentication failed while getting initial credentials (E-7002)

Resolution

  1. Verify that you have entered a valid password for the administrator user.
  2. Retry the command. See Apply OpenLDAP Authentication to NAS.

 

While attempting to authenticate the Appliance Controller, you may receive the following error message:

The password for username (sysadmin) was not correct - you may need to change this user password (E-5046)

If you receive this message, you will need to change the password for the sysadmin user. See Log in to the Appliance Controller CLI.

 

If you experience problems accessing your Microsoft AD server from the Appliance Controller, do the following.

  1. Log in to rootsh.
  2. At the prompt, enter the following:

    net ads testjoin

  3. Do one of the following, depending on the command's return:

    Proceed to the next task: Verify that your Microsoft AD server is connected to winbind.

    Re-authenticate your connection to the Microsoft AD server by issuing the auth config ads command from the Appliance Controller. See Apply AD Authentication To NAS.

  1. Log in to rootsh.
  2. At the prompt, enter the following:

    wbinfo -P

  3. Log in to the Appliance Controller CLI.
  4. Do one of the following, depending on the command's return:

    Re-authenticate your connection to the Microsoft AD server by issuing the auth config ads command. See Apply AD Authentication To NAS.

    Verify that winbind is running, and if it is not, restart winbind services by issuing the following command:

    system restart services winbind

 

If you receive authentication configuration errors when you issue the auth show config command, verify that you have correctly configured user authentication for your NAS environment.

  1. Log in to the Appliance Controller CLI.
  2. Verify that you can display authenticated users. See View User and Group Information.
  3. Log in to rootsh.

  4. At the prompt, enter the following command:

    wbinfo -P

    Result

    • If this command succeeds and you can display authenticated users, then you can disregard the authentication configuration errors.
    • If this command does not succeed or you cannot display authenticated users, then you need to reconfigure NAS user authentication. See NAS User Authentication.