NAS Authentication Tips and FAQs

 

If you are attempting to run the auth config ads command, you might see a message like the following, if the nasadmin user does not have login access to the Appliance Controller.

Example:

net ads join failed :Failed to join domain: failed to lookup DC info for domain 'SomeLab.SOMEWHERE.COM' over rpc: Invalid workstation (E-5046)

This error indicates that the account used in the "auth config ads" command does not have log on access to the NAS server node. Default behavior of NAS authentication would allow log on access to the NAS server. This error indicates that the user account permissions must have been changed from the default behavior in order for this account to be denied access.

To fix the problem log in to the ADS server and change the permissions for the user account so it has log on access to the NAS server, and run the auth config ads command again (see Apply AD Authentication To NAS).

 

If you are enabling SID mapping in StorNext NAS and configuring ACLs for macOS environments, we recommend using the chmod +a | -a| =a command. Otherwise, the SIDs will incorrectly display as AAAABBBB-CCCC-DDDD-EEEE-FFFF82000004 when the ls -le command is used. See (Optional) Step 4: Enable SID Mapping for Full ACL Support.

 

The ONLY StorNext NAS-supported authentication method for Apple OD services is Kerberos. If a client is not bound to the Apple OD server or does not have the proper krb5.conf authentication, then it cannot access a share from the Apple OD server.

If your client's authentication methods are not correctly configured, you will see the following:

Example: Incorrect Authentication Method

$ kinit jsmith

jsmith@LOCAL's password:

kinit: krb5_get_init_creds: unable to reach any KDC in realm LOCAL, tried 0 KDCs

 

$ smbutil view smb://vsop-aod-nas.example.com

Password for vsop-aod-nas.example.com:

smbutil: server rejected the authentication: Authentication error

If your client's authentication is correctly configured, you will be able to access the share.

Example: Correct Authentication Method

$ kinit jsmith

jsmtih@LAB-AOD.EXAMPLE.COM's password:

 

smbutil view smb://vsop-aod-nas.example.com

Share Type Comments

-------------------------------

support Disk Quantum Support

aod-smb1 Disk

upgrade Disk Quantum Upgrade

IPC$ Pipe IPC Service ("Quantum SN-NAS")

 

In some cases, the user name that is used to configure Active Directory authentication for NAS may not have sufficient privileges. To resolve this issue, grant this user name SeDiskOperatorPrivilege.

  1. Log in to rootsh.
  2. At the prompt, run the following command to obtain the user's SID:

    wbinfo -n <'user'>

  3. At the prompt, enter the following command with the returned SID information to grant the user SeDiskOperatorPrivilege:

    net rpc rights grant -Usysadmin [SID-of-user] SeDiskOperatorPrivilege

  4. At the prompt, enter the password for the sysadmin account to approve rights.

    Example: Grant the SeDiskOperatorPrivilege to the sysadmin User

    root@k2 ~# wbinfo -n 'sysadmin'

    S-1-5-21-2500398869-2327988562-2535538314-500 SID_USER (1)

    root@k2 ~# net rpc rights grant -Usysadmin S-1-5-21-2500398869-2327988562-2535538314-500 SeDiskOperatorPrivilege

    10006

 

If you are using Microsoft Active Directory (AD) with the RFC2307 idmap to authenticate users, each Domain User must have a valid UID number and GID number to map to the user name and group name of the AD account.

If you do not define these attributes, the winbind daemon cannot identify the user name or group name, and in turn, cannot authenticate the user to NAS management services.

For more information, see Apply AD Authentication To NAS.

 

If you are using Microsoft AD to perform authentication and you specify a user without administrative privileges, you may receive an error message similar to the following:

"net ads join" failed :Failed to join domain: Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED) (E-5046)

  1. Verify you have entered in the user name correctly.
  2. Verify the user is an administrator or has administrative privileges. See Apply AD Authentication To NAS and View User and Group Information.

 

If you are using AD to perform authentication and you receive an error like the following, then the computer object that you are using may be incorrect.

Error Verifying Kerberos Config: password verify for administrator@ENG.EXAMPLE.COM failed: kinit: Preauthentication failed while getting initial credentials (E-7002)

Keep in mind that when you join an AD domain, both a computer object and a corresponding Kerberos key are generated for the computer in the AD database.

Resolution

  1. Verify that there is not a propagation issue with the computer object.
  2. Restrict AD authentication to a limited number of AD domain servers. See Apply AD Authentication To NAS.

If you are using LDAP to perform authentication and you enter an incorrect or invalid password, you may receive an error message similar to the following:

Error Verifying Kerberos Config: password verify for administrator@ENG.EXAMPLE.COM failed: kinit: Preauthentication failed while getting initial credentials (E-7002)

Resolution

  1. Verify that you have entered a valid password for the administrator user.
  2. Retry the command. See Apply OpenLDAP Authentication to NAS.

 

While attempting to authenticate the Appliance Controller, you may receive the following error message:

The password for username (sysadmin) was not correct - you may need to change this user password (E-5046)

If you receive this message, you will need to change the password for the sysadmin user. See Log in to the Appliance Controller CLI.

 

If you experience problems accessing your Microsoft AD server from the Appliance Controller, do the following.

  1. Log in to rootsh.
  2. At the prompt, enter the following:

    net ads testjoin

  3. Do one of the following, depending on the command's return:

    Proceed to the next task: Verify that your Microsoft AD server is connected to winbind.

    Re-authenticate your connection to the Microsoft AD server by issuing the auth config ads command from the Appliance Controller. See Apply AD Authentication To NAS.

  1. Log in to rootsh.
  2. At the prompt, enter the following:

    wbinfo -P

  3. Log in to the Appliance Controller CLI.
  4. Do one of the following, depending on the command's return:

    Re-authenticate your connection to the Microsoft AD server by issuing the auth config ads command. See Apply AD Authentication To NAS.

    Verify that winbind is running, and if it is not, restart winbind services by issuing the following command:

    system restart services winbind

 

If you receive authentication configuration errors when you issue the auth show config command, verify that you have correctly configured user authentication for your NAS environment.

  1. Log in to the Appliance Controller CLI.
  2. Verify that you can display authenticated users. See View User and Group Information.
  3. Log in to rootsh.

  4. At the prompt, enter the following command:

    wbinfo -P

    Result

    • If this command succeeds and you can display authenticated users, then you can disregard the authentication configuration errors.
    • If this command does not succeed or you cannot display authenticated users, then you need to reconfigure NAS user authentication. See NAS User Authentication.