I think this is more related to Ldap client on the Data Mover timing out trying to get a mapping
The error you see about Usermapper bcast is because you don't have the service running (how many Data Movers in your configuration?)
Unfortunately I do not think that the Ldap client will log a message in server_log if it cannot get a mapping. You have to open a SR so that someone from Tech Support increases Ldap logging in order to have a chance to see something in server_log
@Jeffey, how in particular are you suggesting I check secmap by using the server_cifssupport? As mentioned in my description of the issue, the users who are having issues mapping to shares on the CIFS servers are those who do not have an mapping entry in the secmap table. But the question is, why? Eventually their uid/sid will be created in secmap and future share mappings then work, but it seems to take several attempts mapping to a share for the entry to be created in secmap.
@bergec, you mentioned that Tech support could increase ldap logging, that is not something that they have suggested or done yet. I will try pushing for them to do that since the tcp dump has not yet revealed anything, other than ldap queries are possibly not occuring.
I am currently still working with EMC support to resolve this issue without much sucess so far unfortunately. I have provided EMC with a tcpdump of the IPs of the DCs, and then provided them with some usernames and times of logins, but they said that at those times when I reported a user logged in but did not receive a mapping, there was no ldap query reported in the dump file, but the times I indicated that they (the users) logged in and did then manage to get the share mappings, there were ldap queries logged. One of the problems with the trace is that we have had to do one IP at a time, so it is possible that for the times we ran a trace for failed users, they ldap client possibly used on one of the other DCs for the ldap query. Trying to find out now if we can run multiple tcp dumps at the same time, cannot run an unfiltered dump as the files get too large too quickly.
please verify the status of the usermapper service, use this command syntax: server_usermapper server_X. Is it a primary, secondary or client? please take notes.
Use the command "server_cifs server_x" and "more /etc/nsswitch.conf" to check NAS and let us know the result.
Using the command "server_cifssupport -secmap -list" or "server_cifssupport -secmap -verify {name -domain | -sid }" to check the secmap status after a new client login in and take note.
Just for the records: we face the same problems with NIS instead of LDAP. As a workaround we use cifssupport -secmap -create when we add new accounts to our NIS/LDAP.
@Jeffey, we are not using the usermapper service. We have AD extended with the idMU schema extensions.
I am guessing that you actually meant for me to check the nsswitch.conf file of the data movers as opposed to the control station nsswitch.conf file. The nsswitch.conf for the data mover contains only the following:
passwd: ldap files
group: ldap files
hosts: ldap dns files
We removed all other references (such as nis) from the nsswitch.conf file a long time ago.
The problem, and the point is, that new users are not always having an entry created in secmap, it seems intermittent as to whether it does create it on the first attempt at mapping a network drive on the Celerra, or whether it creates only after several attempts.
@urle, we can manually create the entries (tested it once I noticed that users did not have secmap entries being created), but we have a lot of users who do not necessarily ever log in, so I do not want to create secmap entries for every single user.
Not sure if that applies to your configuration but it could be that when a nrw user is created (along with Ldap info) this will go to one DC (eg DC1) but when that user logs in the the Data Mover talks to another DC (eg DC2) for Ldap mapping, but at that time AD replication between DC1 and DC2 is not finished
bergec
275 Posts
0
October 10th, 2011 10:00
I think this is more related to Ldap client on the Data Mover timing out trying to get a mapping
The error you see about Usermapper bcast is because you don't have the service running (how many Data Movers in your configuration?)
Unfortunately I do not think that the Ldap client will log a message in server_log if it cannot get a mapping. You have to open a SR so that someone from Tech Support increases Ldap logging in order to have a chance to see something in server_log
Claude
PebbleMatt
39 Posts
1
October 11th, 2011 01:00
I should have considered the possibility of it being an LDAP client issue, I will open a SR and see what tech support say. Thanks.
Rainer_EMC
4 Operator
•
8.6K Posts
0
October 11th, 2011 06:00
As Claude said its much more likely to be an LDAP issue
Since DART 5.6.36.4 secmap actually uses a database instead of rootfs entries so its quite fast and scalable
Rainer
Jeffey1
4 Operator
•
2.8K Posts
0
October 25th, 2011 01:00
Please using the command server_cifssupport to check secmap.
PebbleMatt
39 Posts
0
October 26th, 2011 04:00
@Jeffey, how in particular are you suggesting I check secmap by using the server_cifssupport? As mentioned in my description of the issue, the users who are having issues mapping to shares on the CIFS servers are those who do not have an mapping entry in the secmap table. But the question is, why? Eventually their uid/sid will be created in secmap and future share mappings then work, but it seems to take several attempts mapping to a share for the entry to be created in secmap.
@bergec, you mentioned that Tech support could increase ldap logging, that is not something that they have suggested or done yet. I will try pushing for them to do that since the tcp dump has not yet revealed anything, other than ldap queries are possibly not occuring.
I am currently still working with EMC support to resolve this issue without much sucess so far unfortunately. I have provided EMC with a tcpdump of the IPs of the DCs, and then provided them with some usernames and times of logins, but they said that at those times when I reported a user logged in but did not receive a mapping, there was no ldap query reported in the dump file, but the times I indicated that they (the users) logged in and did then manage to get the share mappings, there were ldap queries logged. One of the problems with the trace is that we have had to do one IP at a time, so it is possible that for the times we ran a trace for failed users, they ldap client possibly used on one of the other DCs for the ldap query. Trying to find out now if we can run multiple tcp dumps at the same time, cannot run an unfiltered dump as the files get too large too quickly.
Jeffey1
4 Operator
•
2.8K Posts
0
October 26th, 2011 19:00
Pebble, could you please do the following check?
How many Celerras do you use?
please verify the status of the usermapper service, use this command syntax: server_usermapper server_X. Is it a primary, secondary or client? please take notes.
Use the command "server_cifs server_x" and "more /etc/nsswitch.conf" to check NAS and let us know the result.
Using the command "server_cifssupport -secmap -list" or "server_cifssupport -secmap -verify {name -domain | -sid }" to check the secmap status after a new client login in and take note.
Jeffey1
4 Operator
•
2.8K Posts
0
October 26th, 2011 23:00
Yeah, By default NIS have more higher priority than LDAP in the secmap, we could adjust it in the nsswitch.conf file.
urle
48 Posts
0
October 26th, 2011 23:00
Just for the records: we face the same problems with NIS instead of LDAP. As a workaround we use cifssupport -secmap -create when we add new accounts to our NIS/LDAP.
PebbleMatt
39 Posts
0
October 27th, 2011 04:00
@Jeffey, we are not using the usermapper service. We have AD extended with the idMU schema extensions.
I am guessing that you actually meant for me to check the nsswitch.conf file of the data movers as opposed to the control station nsswitch.conf file. The nsswitch.conf for the data mover contains only the following:
passwd: ldap files
group: ldap files
hosts: ldap dns files
We removed all other references (such as nis) from the nsswitch.conf file a long time ago.
The problem, and the point is, that new users are not always having an entry created in secmap, it seems intermittent as to whether it does create it on the first attempt at mapping a network drive on the Celerra, or whether it creates only after several attempts.
@urle, we can manually create the entries (tested it once I noticed that users did not have secmap entries being created), but we have a lot of users who do not necessarily ever log in, so I do not want to create secmap entries for every single user.
bergec
275 Posts
0
October 27th, 2011 09:00
Not sure if that applies to your configuration but it could be that when a nrw user is created (along with Ldap info) this will go to one DC (eg DC1) but when that user logs in the the Data Mover talks to another DC (eg DC2) for Ldap mapping, but at that time AD replication between DC1 and DC2 is not finished
Claude