NetApp, updates, and NDMP: what is this I don't even

So after upgrading from ONTAP 7.3.1 to 7.3.2P3, I get an alert from our NOC saying NDMP backups are failing. Passwords had not been changed on any accounts since the last good backup. I checked the changelogs between 7.3.1 and 7.3.2P3 and did not find anything related to NDMP.


Symptom:
NDMP backups fail, citing authentication errors.

An attempt to re-generate an NDMP password yields this error:


filer01> ndmpd password ndmpfiler01
Cannot generate NDMP password.

filer01> version
NetApp Release 7.3.2P3: Fri Dec 11 17:58:49 PST 2009


Cause:
Sometime between then and now, a new capability was added: login-ndmp. If an account does not have that capability, ndmp logins and password generations will fail.


Notes:
We have a least-privilege account used for backing up the filers. A role was created called ndmp_role with the following capabilities: cli-ndmpcopy*, cli-ndmpd* which worked in 7.3.1. In 7.3.2P3 (don't know which actual version introduced this), the capability was added. A role called backup was created with the login-ndmp capability. A group called "Backup Operators" was added that includes that role.



Solution:
Add your least-privilege ndmp account to the "Backup Operators" group. Once added, you can again perform an ndmp password command against that account.