Oracle ZFS Storage Appliance: Using Netgroups to restrict share access to hosts does not work after upgrade

Asset ID:	1-72-1913044.1
Update Date:	2018-05-25
Keywords:

Solution Type Problem Resolution Sure

Solution 1913044.1 : Oracle ZFS Storage Appliance: Using Netgroups to restrict share access to hosts does not work after upgrade

Applies to:

Sun Storage 7110 Unified Storage System - Version All Versions and later
Oracle ZFS Storage ZS3-4 - Version All Versions and later
Oracle ZFS Storage ZS3-2 - Version All Versions and later
Sun ZFS Storage 7420 - Version All Versions and later
Sun ZFS Storage 7320 - Version All Versions and later
7000 Appliance OS (Fishworks)

Symptoms

A customer had previously tested restricting access to shares using netgroups, but since upgrading to the latest software release (2011.1.6.0) he can no longer gain access to the servers in the netgroup by adding an NFS exception.

The error is shown as "invalid credentials".

You have upgraded you appliance from 2011.04.24.4.0,1-1.21 --to --> 2011.04.24.6.0,1-1.36

Updating from ... ak/nas@2011.04.24.4.0,1-1.21
Loading media metadata ... done.
Selecting alternate product ... SUNW,otoro

Installing Sun ZFS Storage 7420 2011.04.24.6.0,1-1.36
pkg://sun.com/ak/SUNW,otoro@2011.04.24.6.0,1-1.36:20130422T221556Z

[ Jul 5 15:51:18 Executing start method ("/lib/svc/bin/svcio -p -L ro -R /etc/svc/volatile -S /usr/lib/ak/svc/stencil -a && exec /usr/lib/ak/svc/method/ldap-client"). ]
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.

LDAP configuration

<status> = online
default_servers = 11.155.248.11:389
proxy_dn = cn=ramaaab,ou=Service Accounts,ou=Management,dc=m01rbsdmz01,dc=mde
proxy_password = *********
base_dn = OU=Accounts,OU=Management,DC=M01RBSDMZ01,DC=MDE
search_scope = sub
cred_level = proxy
auth_method = simple <<<<<<<<<<
use_tls = false <<<< TO BE SET TO TRUE {******If the Simple authentication method is used, SSL/TLS should be enabled so that the user's DN and password are not sent in plaintext.****}
user_mapattr =
user_mapobjclass =
user_search =
group_mapattr =
group_mapobjclass =
group_search =

[ Jul 5 15:49:55 Executing start method ("/lib/svc/bin/svcio -p -L ro -R /etc/svc/volatile -S /usr/lib/ak/svc/stencil -a && exec /usr/lib/ak/svc/method/ldap-client"). ]
/usr/lib/ldap/ldap_cachemgr: failed. Please see syslog for details.
[ Jul 5 15:49:55 Method "start" exited with status 1. ]

Jul 5 15:51:18 st1f742003b svc.startd[1286]: [ID 748625 daemon.error] network/ldap/client:default failed: transitioned to maintenance (see 'svcs -xv' for details)
Jul 5 15:54:39 st1f742003b ldap_cachemgr[9956]: [ID 293258 daemon.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
Jul 5 15:54:39 st1f742003b ldap_cachemgr[9956]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to 11.155.248.11:389
Jul 5 15:54:39 st1f742003b nscd[5799]: [ID 293258 user.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
Jul 5 15:59:49 st1f742003b last message repeated 2309 times
Jul 5 15:59:51 st1f742003b nscd[5799]: [ID 293258 user.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
Jul 5 16:04:38 st1f742003b last message repeated 2165 times
Jul 5 16:04:39 st1f742003b ldap_cachemgr[9956]: [ID 293258 daemon.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
Jul 5 16:04:39 st1f742003b ldap_cachemgr[9956]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to 11.155.248.11:389
Jul 5 16:04:40 st1f742003b nscd[5799]: [ID 293258 user.error] libsldap: Status: 49 Mesg: openConnection: simple bind f
Jul 5 15:49:55 st1f742003b ldap_cachemgr[6982]: [ID 293258 daemon.error] libsldap: Status: 0 Mesg: Configuration Error: Neither 'NS_LDAP_SERVERS' nor 'NS_LDAP_SERVER_PREF' is defined
Jul 5 15:49:55 st1f742003b ldap_cachemgr[6981]: [ID 703877 daemon.error] ldap_cachemgr: failed (rc = 255).
Jul 5 15:49:55 st1f742003b ldap_cachemgr[6991]: [ID 293258 daemon.error] libsldap: Status: 0 Mesg: Configuration Error: Neither 'NS_LDAP_SERVERS' nor 'NS_LDAP_SERVER_PREF' is defined
Jul 5 15:49:55 st1f742003b ldap_cachemgr[6990]: [ID 703877 daemon.error] ldap_cachemgr: failed (rc = 255).
Jul 5 15:49:55 st1f742003b ldap_cachemgr[7000]: [ID 293258 daemon.error] libsldap: Status: 0 Mesg: Configuration Error: Neither 'NS_LDAP_SERVERS' nor 'NS_LDAP_SERVER_PREF' is defined
Jul 5 15:49:55 st1f742003b ldap_cachemgr[6999]: [ID 703877 daemon.error] ldap_cachemgr: failed (rc = 255).
Jul 5 15:49:55 st1f742003b svc.startd[1286]: [ID 748625 daemon.error] network/ldap/client:default failed: transitioned to maintenance (see 'svcs -xv' for details)
Jul 5 15:51:18 st1f742003b ldap_cachemgr[7581]: [ID 293258 daemon.error] libsldap: Status: 0 Mesg: Configuration Error: Neither 'NS_LDAP_SERVERS' nor 'NS_LDAP_SERVER_PREF' is defined
Jul 5 15:51:18 st1f742003b ldap_cachemgr[7578]: [ID 703877 daemon.error] ldap_cachemgr: failed (rc = 255).
Jul 5 15:51:18 st1f742003b svc.startd[1286]: [ID 748625 daemon.error] network/ldap/client:default failed: transitioned to maintenance (see 'svcs -xv' for details)

Logs show 'expired' or 'not valid' user name/password.

Cause

Known issue.

This is an instance of Bug 15794061 (LDAP netgroup configuration)

Solution

Upgrade to Appliance Firmware Release 2013.1.2.0 or later.

***Checked for relevance on 25-MAY-2018***

References

<BUG:1579401> - CRM DOM1151: ORACLE APPS" APPLICATION DEVELOPER RESPONSIBILITY IS CORRUPTED
<BUG:18088707> - LDAP NETGROUP SUPPORT USING STANDARD ACTIVE DIRECTORY GROUPS

Attachments

This solution has no attachment