Did Name Mapping (Kerberos to UNIX) changes between Ontap 8.3 and 9.X ?

Hi,

We are testing an upgrade to Ontap 9.0 & 9.1rc from Ontap 8.3;

This name mapping works in Ontap 8.3:

Kerberos to UNIX:

Pattern: (.+)\$@DOMAIN.COM Replacement: nfsuser

This name mapping doesn't work in Ontap 9.x:

Kerberos to UNIX:

Pattern: (.+)\$@DOMAIN.COM Replacement: nfsuser

This is the error from my netapp:

12/2/2016 15:19:23  MYNODE     ERROR         secd.nfsAuth.problem: vserver (nfsv4) General NFS authorization problem. Error: RPC accept GSS token procedure failed

 [ 24 ms] Acquired NFS service credential for logical interface 1027 (SPN='nfs/nfsv4.domain.com@DOMAIN.COM').

 [    31] GSS_S_COMPLETE: client = 'MYCOMPUTER$@DOMAIN.COM'

 [    32] Trying to map SPN 'MYCOMPUTER$@DOMAIN.COM' to UNIX user 'MYCOMPUTER$' using implicit mapping

 [    37] Entry for user-name: MYCOMPUTER$ not found in the current source: FILES. Ignoring and trying next available source

 [    48] Successfully connected to ip 1.1.1.1 port 389 using TCP

 [  3063] LDAP search for the "uid, uidNumber, gidNumber, unixUserPassword, name, unixHomeDirectory, loginShell" attribute(s) within base "dc=domain,dc=com" (scope: 2) using filter "(&(objectClass=User)(uid=MYCOMPUTER$))" failed with error: Timed out

 [  3063]   Additional info:

 [  3064] Source: LDAP unavailable. Entry for user-name:MYCOMPUTER$ not found in any of the available sources

 [  3064] Unable to map SPN 'MYCOMPUTER$@DOMAIN.COM'

**[  3064] FAILURE: Unable to map Kerberos NFS user 'MYCOMPUTER$@DOMAIN.COM' to appropriate UNIX user

 [  3065] Failed to accept the context: The routine completed successfully (minor: Unknown error). Result = 6916

Note: this one works on the Ontap 9:

Kerberos to UNIX:

Pattern: (.+)@DOMAIN.COM Replacement: nfsuser

Though, I do not want all the domain krb users mapped to nfsuser only MACHINESHORTNAME$@DOMAIN.COM

Additionally, my LDAP translations are working:

diag secd authentication translate -node MYNODE -vserver NFS4  -unix-user-name MYUSERNAME
12345

Also, is there an easier way to test krb like unix ids?

diag secd authentication translate -node MYNODE -vserver NFS4  -unix-user-name MYUSERNAME

Thanks in advance.

Ben