Root user cannot log in to WebUI/CLI in 8.x when the default domain is set

When logging into the cluster, either through the WebUI or CLI fails with password error.

This applies for OneFS 8.x when there is a duplicate user (such as root) on the domain.

You can still log in using the unix_users domain:

UNIX_USERS\root

Verify if the domain in question is set to the default domain:

#isi auth ads view --provider-name=<domain> --verbose | grep "Assume Default Domain"
    Assume Default Domain: Yes

If the default domain is set, OneFS first reach out to the domain to authenticate the local user in question. In this case, we are using root. If the user exists on the domain, then OneFS attempts to authenticate the user through the domain.

If the account is disabled, then you see an error when attempting to log in.

In 8.x you can add unfindable users to any domain controller using the following command:

# isi auth ads modify --provider-name=<domain> --add-unfindable-users=<list of users we don't want found(to include domain name and FQDN) --restrict-findable=yes

In order to ensure that the settings have been made, run the auth view again:

# isi auth ads view --provider-name=<domain> --verbose
--you are looking for this output:
         Unfindable Users: <FQDN>\root, <Domain>\root, 0, root
          Findable Groups: -
           Findable Users: -
        Restrict Findable: Yes

In order for the cluster to ensure it filters out the unfindable users, the restrict findable must be turned on.