Symptoms

When multiprotocol is enabled for the NAS server, it is not recommended to modify the SMB Active Directory domain. If the SMB Active Directory domain is changed, there could be a permission issue due to duplicated Secmap entries for the same username. For example: There is a multiprotocol NAS server "cxnas1224" with SMB Active Directory domain being "VITA." With svc_cifssupport 'secmap' command, we can see that there is a user "cifsuser" who has been mapped to UID 1012: After changed the SMB Active Directory domain from "VITA" to "PITHOS," there could be duplicated Secmap entries for the same username, like we can see there are two "cifsuser" entries from two domains that both being mapped to UID 1012: This could cause some permission problem. For example, if the FS access policy is set to "Windows." After the domain change, the "PITHOS\cifsuser" creates a file from SMB, and then tries to access it from NFS. The access from NFS may fail because the UID 1012 may be mapped to "VITA\cifsuser."

Cause

The Secmap DB will not be automatically updated after the Active Directory domain change.Environment: The Unity arrays having NAS server with multiprotocol enabled

Resolution

After the Active Directory domain change, the customer must manually delete the stale entries from the old domain with svc_cifssupport command. Use SID to identify an entry, as the -delete -name <name> -domain <domain_name> may fail because of the domain change. For example:

Support Cases