当ONTAP将用户映射到pcuser而不是适当的UNIX用户时、Windows客户端会显示"access denied"错误

适用场景

• ONTAP 9
• CIFS/SMB

问题描述

• "从Access denied 安全模式卷访问Windows共享时出现 UNIX "错误。
• Windows用户将映射到默认UNIX 用户(pcuser) 、而不是相应的UNIX用户

cluster1::> set -privilege advanced

Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.
Do you want to continue? {y|n}: y

cluster1::*> vserver services access-check name-mapping show -node node1 -vserver vs1 -direction win-unix -name DOMAIN\user1

'DOMAIN\user1' maps to 'pcuser'

• 可以执行以下故障排除步骤来隔离问题描述：
  1. 验证   SVM是否已解析所需的UNIX用户凭据(例如、domain\user1的user1)

cluster1::*> vserver services access-check authentication translate -node node1 -vserver vs1 -unix-user-name user1
Vserver: vs1 (internal ID: 5)
Error: Acquire UNIX credentials procedure failed
[ 0 ms] Name 'user1' not found in UNIX authorization source LOCAL
[ 0] Could not get a user ID for name 'user1' using any NS-SWITCH authorization source
**[ 0] FAILURE: Unable to retrieve UID for UNIX user user1
Error: command failed: Failed to resolve user name to a UNIX ID. Reason: "SecD Error: user not found"

2. 如果错误显示"user not found (未找到用户)"、请检查正在使用哪些名称服务进行用户查找

cluster1::*> vserver services name-service ns-switch show -vserver atmn -database passwd
                     Vserver: atmn
Name Service Switch Database: passwd
   Name Service Source Order: files, nis

3. 如果ns-switch仅列出"files"、则如果UNIX用户不在unix-user show 输出中、则必须在本地创建该用户
4. 在本地创建用户或组：

cluster1::*> unix-user create -vserver vs1 -user user1 -id 10 -primary-gid 20
cluster1::*> unix-group create -vserver vs1 -name user1 -id 20

5. 如果ns-switch列出了NIS或LDAP、请 检查其配置。确保 可以从中检索UNIX用户凭据

cluster1::*> nis-domain show -vserver vs1
cluster1::*> ldap client show -vserver vs1
cluster1::*> ldap client show -fields client-config