升级到 ONTAP 9.12.1+ 后,由于名称映射无效导致 NFS 访问被拒绝
适用于
- ONTAP 9.12.1 及更高版本
- NFS 访问(NTFS 安全模式卷)、CIFS 访问(NTFS 或 Unix 安全模式)
- CIFS 本地用户和组
问题描述
- 升级到 ONTAP 9.12.1 及更高版本后,用户在装载或访问以前可访问的目录时被拒绝访问
- 安全跟踪表明:
Access is denied because the UNIX user could not be mapped to a valid NT user while reading the user's access rights on an object.
- 目标卷路径中的一个卷是 NTFS 安全样式,这可能包括根卷
::> vol show -vserver svm1 -volume svm1_root -fields security-style
vserver volume security-style
------------- ------------------ --------------
svm1 svm1_root ntfs
- 被拒绝访问的 Unix 帐户显式映射到本地 Windows 帐户
::> vserver name-mapping show -vserver svm1 -direction unix-win
Vserver: svm1
Direction: unix-win
Position Hostname IP Address/Mask
-------- ---------------- ----------------
1 - - Pattern: root
Replacement: SVM1\\Administrator
- 本地帐户已禁用,这是预配置的 CIFS 本地用户 "Administrator" 的默认值
::> local-user show -fields is-account-disabled
(vserver cifs users-and-groups local-user show)
vserver user-name is-account-disabled
------------- ------------------- -------------------
svm1 SVM1\Administrator true
- EMS 日志:
secd.nfsAuth.noCifsCred:error]: vserver (SVM) NFS authorization cannot retrieve CIFS credentials.
Error: Get user credentials procedure failed
[ 0 ms] Determined UNIX id 0 is UNIX user 'root'
[ 0] UNIX user 'root' mapped to Windows user 'SVM\administrator'
[ 0] Using cached 'SVM\administrator' SID mapping. **
[ 0] FAILURE: Account is disabled for local user 'Administrator'
[ 0] Could not get credentials for Windows user 'administrator' or SID 'S-1-5-21-xxxxx'