Rashid-GDIT
1 Copper

Problems joining Celerra to new local domain

I recently had to move our SAN equipment over to another network. This of course forced me to destroy the domain I had between my CLARiiON CX4-120 and my Celerra NS-G8 (Gateway). After I re-created the domain on the CLARiiON I went to add the Celerra to the new domain and it tells me of course that it is already apart another domain and that proceeding would pretty much orphan any global domain user accounts. When I saw this I canceled and tried to do it another way but I didn't see anything else where I could remove it from the domain in Unisphere within the Celerra. After looking for help through the documentation to no avail I figured I could just proceed with joining the new domain and accept the warning about it already being in another domain. After all, it said it would remove it and join the new one and this is what I wanted anyway. Well, I did that and it prompted me for credentials to connect. Of course put the local root account with the rights to modify domain attributes on Celerra and it proceeds. Only I noticed that it didn't join the domain but it just allowed me to log on as the root within the same Unisphere instance. It will not accept the new global domain username when I try to log into the Celerra. I have to log with the local accounts. Problem is, it's clear that I screwed it up because it will accept the old domain username and password (that no loger exist) but it just hangs because it's an orphaned account (i know, it warned me this would happen). I can't even go into the Celerra and delete the old domain user account becuase the delete button is grayed out. Does anyone know how I can fix what I did? I haven't been sucessful finding specific documentation on this. 

2 Replies
Rashid-GDIT
1 Copper

Re: Problems joining Celerra to new local domain

So apprently this is a known issue to where the domain databases do not sync. I have an active SR ticket opened with EMC and so far they haven't been able to figure it out yet. Although just in case someone else can benefit from where I've gotten so far see the primus reports listed below:

Service Workaround for Joining the Celerra to the Storage Domain from the CLI:

  1. Use a special curl command to ·prep· the CS.  Please be aware that you will need to execute Step 2 within five minutes of issuing the Curl command!

    # curl ·kv  ·https://<celera_ip>/cgi-bin/set_incomingmaster?master=<SPA_masterIP>,·

    Note:  The question mark, and the ending comma in the above command needs to be included.  Please input the appropriate IP addresses in the < > brackets, without the actual < > brackets.
     
  2. Issue the following navicli command to the domain master in order to add the Celerra Control Station to the storage domain:

    # /nas/sbin/naviseccli -h <spa_master_IP> -user <username> -password <password> -scope 0 domain -add <celerra_CS_IP>


  3. Verify from CLI:

    After a successful Join, this directory should be populated with domain_list, domain_master, and domain_users files.

    # ls -la /nas/http/domain 

    -rw-r--r--  1 apache apache   57 Oct 13 10:44 domain_list
    -rw-r--r--  1 apache apache   68 Jul 26 14:36 domain_master
    -rw-r--r--  1 apache apache  314 Dec  3 13:50 domain_users

    # /nas/sbin/navicli -h 10.250.78.5 domain -list 

    (You should see the Control Station IP listed.)

    Node:                 cs120
    IP Address:           10.250.78.4
    Name:                 cs120
    Port:                 80
    Secure Port:          443
    IP Address:           10.250.78.4
    Name:                 cs120
    Port:                 80
    Secure Port:          443

    Node:                 APM00083401071
    IP Address:           10.250.78.5
    Name:                 spb
    Port:                 80
    Secure Port:          443
    IP Address:           10.250.78.4 (Master)
    Name:                 spa
    Port:                 80
    Secure Port:          443


    4.  Verify management access of both systems from Unisphere by launching a browser, pointing to the IP address of the Control Station, and logging in using the array admin account (e.g., nasadmin), with Scope Global.



    The following shows the CLI output of a successful curl and join:

    [root@vg8 nasadmin]# curl -kv "https://10.240.167.82/cgi-bin/set_incomingmaster?master=10.240.167.140,"
    * About to connect() to 10.240.167.82 port 443
    *   Trying 10.240.167.82... connected
    * Connected to 10.240.167.82 (10.240.167.82) port 443
    * error setting certificate verify locations, continuing anyway:
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSLv2, Client hello (1):
    SSLv3, TLS handshake, Server hello (2):
    SSLv3, TLS handshake, CERT (11):
    SSLv3, TLS handshake, Server key exchange (12):
    SSLv3, TLS handshake, Server finished (14):
    SSLv3, TLS handshake, Client key exchange (16):
    SSLv3, TLS change cipher, Client hello (1):
    SSLv3, TLS handshake, Finished (20):
    SSLv3, TLS change cipher, Client hello (1):
    SSLv3, TLS handshake, Finished (20):
    SSL connection using DHE-RSA-AES256-SHA
    * Server certificate:
    *        subject: /O=Celerra Control Station Administrator/CN=10.240.167.82/CN=vg8/CN=vg8.hosts.pvt.dns
    *        start date: 2010-10-12 19:18:12 GMT
    *        expire date: 2015-10-18 19:18:12 GMT
    *        common name: vg8.hosts.pvt.dns (does not match '10.240.167.82')
    *        issuer: /O=Celerra Certificate Authority/CN=vg8
    * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
    > GET /cgi-bin/set_incomingmaster?master=10.240.167.140, HTTP/1.1
    > User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8n zlib/1.2.3 libidn/0.6.5
    > Host: 10.240.167.82
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < Date: Fri, 03 Dec 2010 01:48:59 GMT
    < Server: Apache
    < Transfer-Encoding: chunked
    < Content-Type: text/plain; charset=UTF-8
    OK
    * Connection #0 to host 10.240.167.82 left intact
    * Closing connection #0
    * SSLv3, TLS alert, Client hello (1):


    [root@vg8 nasadmin]# /nas/sbin/naviseccli -h 10.240.167.140 -user nasadmin -password nasadmin -scope 0 domain -add 10.240.167.82
    WARNING: You are about to add following node(s) to the domain.
    10.240.167.82
    Proceed? (y/n) y

    [root@vg8 nasadmin]#


The following is a Primus(R) eServer solution:

ID: emc256359
Domain: EMC1
Solution Class: 3.X Compatibility

Goal       ETA emc256359: Celerra: Adding a Celerra to the CLARiiON storage domain (or managing the Celerra) fails, and Celerra domain shows as 'newer version' with status 'unsupported'

Fact       EMC Technical Advisory (ETA)

Fact       EMC SW: Unisphere Service Manager (USM)

Fact       EMC SW: NAS Code 6.0.40-5

Symptom    Celerra system in Unisphere shows "Domain" field as "Newer Version."

Symptom    Celerra system in Unisphere shows "Status" "Unsupported."

Symptom    New installations of Celerra 6.0.40-5 may fail to join the CLARiiON storage domain

Symptom    Cannot manage the Celerra within the storage domain using a single user sign-on to the array.

Symptom    Logging in to the Control Station using the storage domain admin account may fail with pop-up message:

Authentication Failed

Cause     

A Celerra system can only be managed by a version of Unisphere that has a Celerra plug-in of the same version or later.  Once 6.0.40-5 is installed on a Celerra, only a corresponding 6.0.40-5 version of the Celerra plug-in can be used.  If Unisphere is downloaded from one of the Storage Processors in the array, an older version of the Celerra plug-in will be installed and the 6.0.40-5 Celerra will not be manageable.  Currently available versions of the Unisphere Client (including 1.0.50.1.0248 and earlier) also have this issue.  Therefore, when a version of Unisphere with an older version of the plug-in is used to try to manage a later version of the Celerra, a message of ·Unsupported· or ·Newer Version· is encountered.


The Unisphere plugin version mismatch issues manifest in the following behaviors:

  1. Systems that are newly installed at 6.0.40-5 cannot "join" the CLARiiON Storage domain because of the Unisphere plugin mismatched versions.
     
  2. Systems that were already joined, and are upgraded to 6.0.40-5, can no longer be "managed" by Unisphere in a "single user" scenario if logging into the array IP address.

Fix        Fix:

This issue is currently under investigation, but will most likely require a long-term solution.  An off-array fix is in Release 1.0.50.1.0326 of the Unisphere Client application, which is compatible with the 6.0.40-5 Celerra Unisphere plugin. The off-array fix resolves the single user sign-on issue when using the IP address of the array for system management and allows new Celerra 6.0.40-5 installations to join the CLARiiON storage domain.

The solution for off-array is in  ·EMC Unisphere Client (Windows) 1.0.50.1.0326· at this location on Powerlink:

Home > Support > Software Downloads and Licensing > Downloads T-Z > Unisphere Server Software

An  on-array software solution for the single user sign-on issue and domain-addition issue is now available as part of "CX4 Series FLARE OE Bundle 04.30.000.5.509", and is available at this location on Powerlink:

Home > Support > Software Downloads and Licensing > Downloads C > CLARiiON CX4

Workarounds:

Workaround #1 - For Celerra "join" issues to the storage domain:

If you have a 6.0.40-5 system that has been newly installed or upgraded, and cannot get the Celerra to properly join the Storage Domain, please contact your service provider and reference this solution (emc256359) for assistance.


Workaround #2 - For single user sign-on management issue:

If you have a 6.0.40-5 system that is a member of the storage domain, but can no longer be managed with the "single user sign-on" capability when logging into the array IP address, use the following steps to achieve single user sign-on management capability of both the array and the Celerra:

  1. Launch a web browser.
  2. Enter the IP address of the Celerra Control Station.
  3. At the logon screen, enter the array admin account [e.g., nasadmin], name,  and password, using Scope Global.  You should be able to log in and administer both systems if the admin account has been previously assigned the correct privileges for managing the Celerra.

Note 1:  The array admin account should have the appropriate privileges applied in order to be able to manage the Celerra system.  To verify and set the correct privileges, log into the Control Station using Unisphere, as the Root user, Scope Local.  Go to Settings > User Management > Users.  Right-click the array administrator account that has been migrated to the Celerra as part of the "Join" process (for example, nasadmin1), select Properties, and ensure that the following Group membership boxes have been checked:

  • fullnas(nasadmin)
  • nasadmin(operator)
  • imported_administrator(imported_administrator)

Note 2:  If you experience an "Authentication Failed" popup when trying to login as the array administrator to the Celerra Control Station IP Address, with Scope Global, perform the following workaround and then retry the login operation:

# /nas/sbin/cst_setup -reset

See emc257327 for more details regarding the 'Authentication Failed' popup error.

0 Kudos
whl
1 Copper

Re: Problems joining Celerra to new local domain

Thanks for the article.

I had the same problem with domain join, this commands are very good.

1. curl -kv "https://.....

2. /nas/sbin/naviseccli -h .....

3. Open master spa with the local installed client.

br

Friedrich

0 Kudos