メインコンテンツまでスキップ
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.

Windows Active Directory における LDAP の問題のトラブルシューティング方法

Views:
118
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

のとう

のとう

環境

  • ONTAP 9

説明

Active Directory LDAP および clustered Data ONTAP に関する詳細かつ最新の情報について[1]は、 TR-4073 :『 Secure Unified Authentication 』を参照してください。

clustered Data ONTAPsecdで LDAP を使用する場合は、「 mhost process 」が利用されます。このプロセスはユーザ認証(ネームマッピング)を行います。/mroot/etc/mlogファイル内の SecD ログにネームマッピングで発生している問題が記録されます。

デフォルト

::*> diag secd trace set -node node-01 -module-names name-mapping -trace-all YES
Trace spec set successfully.

::*> diag secd trace show -node node-01
Trace Spec
---------------------------------------
TraceAll:                     Tracing all RPCs
Modules:                      NameMapping


options cifs.trace_loginでは、トレース一致エラーをログに表示するために Data ONTAP 7-Mode で同じ動作を有効にする必要がある場合を除き、ネームマッピングエラーは SecD ログに記録されません。

ネームマッピングに失敗した場合は、

Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |------------------------------------------------------------------------------
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                                 TRACE MATCH                                  |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |   RPC secd_rpc_map_name succeeded and is being dumped because of a tracing   |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                                  match on:                                   |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                                     All                                      |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                   RPC recevied at Thu Sep 15 16:55:38 2011                   |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |------------------------------------------------------------------------------'
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.032]  debug:  SecD RPC Server received RPC from MGMT.  RPC 351: secd_rpc_map_name  { in secd_prog_1() at server/secd_rpc_server.cpp:806 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.103]  debug:  Setting thread context. VServerId = 6, Protocol = NONE, lifId = 0  { in setThreadContext() at utils/secd_thread_data_manager.cpp:172 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.121]  debug:  secd_rpc_map_name_1_svc called with vserverid = 6  { in secd_rpc_map_name_1_svc() at name_mapping/secd_rpc_map_name.cpp:50 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.168]  debug:  Attempting to map name ldap using the cluster mapping store  { in getAppropriateWindowsToUnixMapping() at name_mapping/secd_name_mapping.cpp:385 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.207]  debug:  IDS_FROM_USER_NAME ldapInfoType requested.
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402]   { in getLdapInfoFromName() at authorization/secd_ldap_unix_authorization.cpp:552 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.239]  debug:  Looking for LDAP (NIS & Name Mapping) cache (key: "") in vserver 6  { in getConnectionCache() at connection_manager/secd_connection_cache.cpp:450 } 000000ad.0000150a 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.255]  debug:  Looking for a connection to LDAP (NIS & Name Mapping)  { in getConnection() at connection_manager/secd_connection_manager.cpp:547 } 000000ad.0000150b 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.268]  debug:  Acquiring a new LDAP (NIS & Name Mapping) connection; favoring cache  { in getBestConnection() at connection_manager/secd_connection_manager.cpp:716 } Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.282]  debug:  Did not find an available connection in the cache  { in getBestCachedConnection() at connection_manager/secd_connection_cache.cpp:224 } 000000ad.0000150d 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.304]  debug:  Reserving a new LDAP (NIS & Name Mapping) server from discovery  { in getBestConnection() at connection_manager/secd_connection_manager.cpp:728 } 000000ad.0000150e 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.324]  debug:  Created service key: 00000006..LDAP_NIS_AND_NAME_MAPPING  { in makeServiceKey() at server_discovery/secd_service_list.cpp:150 } Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.356]  debug:  Discovery returned 10.61.70.5 (10.61.70.5)  { in getBestConnection() at connection_manager/secd_connection_manager.cpp:743 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.377]  debug:  Connecting to LDAP (NIS & Name Mapping) server 10.61.70.5  { in addStartConnectionJournal() at connection_manager/secd_connection_manager.cpp:462 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.652]  debug:  Successfully authenticated over LDAP with 10.61.70.5  { in connect<LdapConnectionState>() at connection_manager/secd_connection.cpp:971 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.688]  debug:  Connected to new LDAP (NIS & Name Mapping) service on 10.61.70.5  { in makeConnectionAttempt() at connection_manager/secd_connection_manager.cpp:846 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.929]  debug:  Searching LDAP for the "uidNumber, gidNumber" attribute(s) within base "CN=users,DC=domain,DC=com" (scope: -1) using filter: (&(objectClass=User)(sAMAccountName=ldap))  { in searchLdap() at utils/secd_ldap_utils.cpp:200 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.352]  ERR  :  1057 in searchLdap() at utils/secd_ldap_utils.cpp:215
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.386]  ERR  :  searchLdap: LDAP Error: (80): 'Internal (implementation specific) error':
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.399]  ERR  :  1057 in getLdapInfoFromName() at authorization/secd_ldap_unix_authorization.cpp:652
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.465]  debug:  Closing service handle; reporting status 1  { in ~SecdConnection() at ../bedrock/obj/x86_64/secd/../../../export/common/headers/include/secd/secd_connection.h:106 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.488]  ERR  :  1057 in getIdsFromUserName() at authorization/secd_ldap_unix_authorization.cpp:139
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.505]  warn :  Failed to get an ID for name ldap using UNIX authorization source LDAP, Error: 1057; ignoring; will try next source  { in handleNameAuthResult() at authorization/secd_unix_authorization.cpp:68 } 000000ad.0000151a 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.575]  debug:  SecD RPC Server sending reply to RPC 351: secd_rpc_map_name  { in secdSendRpcResponse() at server/secd_rpc_server.cpp:1093 }


次のように表示されます。ネームマップトレースは次の内容を示します。

  • LDAP ネームマッピングに失敗し、ユーザが試行されました
  • ユーザのマッピングに使用する LDAP
  • 検索に使用するベース DN
  • 失敗中に要求された属性
  • 使用するフィルタ
  • LDAP サーバに接続し、適切に接続したかどうか
  • LDAP 接続がキャッシュされているかどうか
  • SVM ID が要求されました

 

Scan to view the article on your device
CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support