PowerScale: NFS identity query failed for user@domain error STATUS_INVALID_PRIMARY_GROUP

Summary: NFS identity query failed for user@domain, error=STATUS_INVALID_PRIMARY_GROUP alerts seen in cluster.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Alert NFS identity query failed seen when the NFSv4 server could not look up the user or group name to map to a user id (UID) or group id (GID). 
Event : Resolved: NFS identity query failed for group=user@domain, error=STATUS_INVALID_PRIMARY_GROUP

Event ID 400140001 generated for the alert 

Cause

The NFSv4 server could not look up the user or group name to map to a user id (UID) or group id (GID). NFSv4 uses the string 'user@domain' instead of numeric UIDs and GIDs. This event occurs if there is a mismatch between the client domain name and the NFSv4 server domain name, or if the user database configuration is incorrect.

Resolution

There are a few different ways to address the alert.

1. Confirm that the domain string in the problematic clients /etc/idmapd.conf match the domain that is set in the clusters NFS settings for the applicable zone.  See the example below: 
From PowerScale side:

# isi nfs settings zone view --zone=NFS
           NFSv4 Domain: localdomain  <<<<<<<<<<<<<<<
   NFSv4 Replace Domain: Yes
        NFSv4 No Domain: No
   NFSv4 No Domain UIDs: Yes
         NFSv4 No Names: No
NFSv4 Allow Numeric IDs: Yes


Client side:

[root@centos ~]# cat /etc/idmapd.conf | grep -i domain

# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
Domain = PowerScale.local


Notice the domain on the PowerScale doesn't match the domain on the client. These should be consistent.

 

2. Starting in 9.2+ the alert can be suppressed through the WebUI; however, this can still lead to pressure on CELOG over time: 

Cluster management > Events and Alerts > Alert Management > Scroll down and type in NFS and the alert should show up to be suppressed. 

Alert Management page 


3. For OneFS versions earlier than 9.2, update the following gconfigs to suppress these alerts. This requires restarting NFS, so this change should be scheduled during a maintenance window. 
 

isi_gconfig registry.Services.lwio.Parameters.Drivers.nfs.AlertFailedIDQueryThrottleDurationSec

^ the default value is 3600.

 isi_gconfig registry.Services.lwio.Parameters.Drivers.nfs.AlertFailedIDQueryThrottleThreshold

^ the default value is 20.

These would be changed to 0.

NOTE: A restart of NFS across the cluster is needed for the changes to take effect, so this should be carried out in a maintenance window. 

Change the gconfigs:

# isi_gconfig registry.Services.lwio.Parameters.Drivers.nfs.AlertFailedIDQueryThrottleDurationSec=0

# isi_gconfig registry.Services.lwio.Parameters.Drivers.nfs.AlertFailedIDQueryThrottleThreshold=0


4. Disable the "nfsv4 replace domain" parameter in the corresponding access zone. This would mean that the domain is pulled from the lsass identity and lsass will not try to look up domain-less users.

NOTE: There is no way for us to know how or if this will impact certain workflows/environments. It is a configuration that is on by default to force all users and groups to the domain configured for that zone.  

See current settings: 

# isi nfs settings zone view --zone=NFS
           NFSv4 Domain: localdomain
   NFSv4 Replace Domain: Yes <<<<<<<<< default is yes
        NFSv4 No Domain: No
   NFSv4 No Domain UIDs: Yes
         NFSv4 No Names: No
NFSv4 Allow Numeric IDs: Yes


Command to change:

isi nfs settings zone modify --zone=<zone name> --nfsv4-replace-domain=no

Additional Information

Page 11 under the Create NFS Export section contains a note regarding NFSv4 domain settings -  Dell PowerScale: OneFS NFS Design Considerations and Best Practices

Affected Products

PowerScale OneFS
Article Properties
Article Number: 000071371
Article Type: Solution
Last Modified: 18 أبريل 2026
Version:  9
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.