Isilon: OneFS: External Authentication Provider Information Missing for Newly Added Node

A newly added node may not show the same authentication status as the original cluster nodes. In the following example nodes 4-6 are newly added nodes that do not see the domain the cluster is joined to:

# isi_for_array -s "isi auth status | grep -i corp.xxx.org " 
xxx-ISILON-1: lsa-activedirectory-provider:CORP.xxx.ORG xxx.xxx.xxx.org online 
xxx-ISILON-2: lsa-activedirectory-provider:CORP.xxx.ORG xxx.xxx.xxx.org online 
xxx-ISILON-3: lsa-activedirectory-provider:CORP.xxx.ORG xxx.xxx.xxx.org online 
xxx-ISILON-4 exited with status 1 
xxx-ISILON-5 exited with status 1 
xxx-ISILON-6 exited with status 1 

 

If a node is added to a cluster before the networking configuration is implemented, lsass may have exhausted the number of attempts permitted to query the external authentication provider to load the configuration. Once a route from the node to the authentication provider is made available (cabling, external network configuration and adding the new node interface(s) to a network pool that can reach the authentication provider), the lsass process is not automatically prompted to query again.

Run this command on the new node(s) to refresh the configuration and the node will attempt again to connect to any configured external authentication providers:

# isi auth refresh

or

# isi_for_array -n <Low LNN-High LNN> 'isi auth refresh'

In this example, the command would be

# isi_for_array -n 4-6 'isi auth refresh'

One method to mitigate the issue is to use node provisioning rules to automatically configure interfaces in specified network pools.

Please refer to the applicable OneFS Administration Guide for more information. For OneFS 8.0.0.x, please see information starting on page 960: https://support.emc.com/docu65065_OneFS-8.0.0-CLI-Administration-Guide.pdf?language=en_US


 

It may be required to restart lsass. Note: This is a per node command.

# /usr/likewise/bin/lwsm restart lsass