CIFSの作成が失敗して「LDAPエラー:ユーザに十分なアクセス権がありません」
環境
- ONTAP 9
- CIFS
問題
- 以下のエラーでCIFSの作成が失敗する
::*> cifs server create -vserver svm1 -cifs-server cifs1 -domain domain.com -ou CN=ComputersIn order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the "domain.com" domain.Enter the user name: userEnter the password:Error: Machine account creation procedure failed[ 16507] Loaded the preliminary configuration.[ 16849] Created a machine account in the domain[ 16850] SID to name translations of Domain Users and Admins completed successfully[ 16872] Successfully connected to ip 10.x.x.x, port 88 using TCP[ 16917] Successfully connected to ip 10.x.x.x, port 464 using TCP[ 16961] Kerberos password set for 'cifs$@domain' succeeded[ 16961] Set initial account password**[ 17017] FAILURE: Unable to set machine account attribute**'msDS-SupportedEncryptionTypes': Insufficient access[ 17059] Deleted existing account 'CN=cifs,CN=Computers,DC=domain,DC=com'Error: command failed: Failed to create the Active Directory machine account "cifs". Reason: LDAP Error: The user has insufficient access rights.- CIFSの作成後に「msDS-SupportedEncryptionTypes」を変更すると、show dcが不十分なAccessRightsでパケットトレースを収集しました。
No Source Destination Proto Info1 10.x.x.x 10.y.y.y LDAP modifyRequest(9) "CN=cifs,CN=Computers,DC=domain,DC=com" protocolOp: modifyRequest (6)
modifyRequest
object: CN=cifs,CN=Computers,DC=domain,DC=com
modification: 1 item
modification item
operation: replace (2)
modification msDS-SupportedEncryptionTypes
type: msDS-SupportedEncryptionTypes
vals: 1 item
AttributeValue: 302 10.y.y.y 10.x.x.x LDAP modifyResponse(9) insufficientAccessRights (00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n)