メインコンテンツまでスキップ

NTFS ボリュームへの NFS アクセスが「 access denied 」で失敗する

Views:
86
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

に適用されます

  • ONTAP 9
  • NFS
  • NTFS セキュリティ形式のボリューム

問題

  • NFS ユーザが NFS にアクセスしようとすると、「 access denied 」が返されます mount ( NTFS セキュリティ形式)
  • user1 という NFS ユーザのクレデンシャルの読み込みは失敗します 

Cluster::*> diag secd authentication show-creds -vserver svm1 -node node1 -unix-user-name user1
Vserver: svm1 (internal ID: 3)
Error: Get user credentials procedure failed
  [  0 ms] Determined UNIX id 8309 is UNIX user 'user1'
  [    0] UNIX user 'user1' mapped to Windows user
      'naslab\winuser'
  [    0] Using cached 'naslab\winuser' SID mapping.
  [    5] Successfully connected to ip 1x.xx.xx.xx, port 88
      using TCP
**[   10] FAILURE: Could not get credentials via S4U2Self based on
**      full Windows user name
**      'winuser@naslab.local'. Access
**      denied.
  [   10] Could not get credentials for Windows user 'winuser'
      or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'

  
Error: command failed: Failed to get user credentials. Reason: "Kerberos Error: Clients credentials have been revoked".

Secd ログ:

  • S4U2SELF 経由でクレデンシャルを取得すると、「 Clients credentials have 」というエラーが表示されて失敗します 取り消されました "

            .------------------------------------------------------------------------------.
[kern_secd:info:10210] |                  RPC FAILURE:                  |
[kern_secd:info:10210] |            secd_rpc_auth_get_creds has failed            |
[kern_secd:info:10210] |             Result = 0, RPC Result = 7519             |
[kern_secd:info:10210] |           RPC received at Mon xxxxxxxxxxxxxxxx         |
[kern_secd:info:10210] |------------------------------------------------------------------------------'
[kern_secd:info:10210] Failure Summary:
[kern_secd:info:10210] Error: Get user credentials procedure failed
[kern_secd:info:10210]   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'
[kern_secd:info:10210]   [   218] UNIX user 'user1' mapped to Windows user 'naslab\winuser'
[kern_secd:info:10210]   [   218] Using cached 'naslab\winuser' SID mapping.
[kern_secd:info:10210]   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP
[kern_secd:info:10210] **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.local'. Access denied.
[kern_secd:info:10210]   [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
...
[kern_secd:info:10210] | [000.009.096]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:762
[kern_secd:info:10210] | [000.009.105]  ERR  :  getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Clients credentials have been revoked)
[kern_secd:info:10210] | [000.011.467]  ERR  :  Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.MARRCORP.MARRIOTT.COM'. Access denied. { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1211 }
[kern_secd:info:10210] | [000.011.475]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1212
[kern_secd:info:10210] | [000.011.481]  ERR  :  Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1240 }
[kern_secd:info:10210] | [000.011.486]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1540
[kern_secd:info:10210] | [000.011.512]  debug:  SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
[kern_secd:info:10210] | [000.011.569]  ERR  :  RESULT_ERROR_SECD_CIFS_CRED_LOOKUP_FAILED:6988 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348

EMS ログ:
[node1: secd: secd.nfsAuth.noCifsCred:error]: vserver (svm1) NFS authorization cannot retrieve CIFS credentials. Error: Get user credentials procedure failed   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'   [   218] UNIX user 'ftps' mapped to Windows user 'naslab\winuser'   [   218] Using cached 'naslab\winuser' SID mapping.   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.local'. Access denied.  [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' 
 

ネームマッピング

Cluster::*> vserver  name-mapping show -vserver  svm1
Vserver:   svm1
Direction: unix-win
Position Hostname      IP Address/Mask
-------- ---------------- ----------------
1     -          -           Pattern: user1
                      Replacement: naslab\\winuser

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support