メインコンテンツまでスキップ

ADアカウントがロックされているか無効になっているか期限切れになっているため、NTFSボリュームへのアクセスを拒否

Views:
238
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

環境

  • ONTAP 9
  • CIFS / SMB
  • NFS
  • NTFSセキュリティ形式のボリューム

問題

  • クライアントがファイルやフォルダを操作できない 
    • CIFSクライアントとNFSクライアントでマウントは機能するが、NTFS上のファイルやフォルダへのアクセスが許可拒否されて失敗する
    • LinuxクライアントでNTFSセキュリティ形式のボリュームを使用すると、マウントがPermission deniedエラーで失敗する。

linux:/axx/axn# mount -t cifs //10.xx.xc.xc/qtree$ -o file_mode=0774,dir_mode=0775,credentials=/home/txc/.sambapassword.cifs,uid=49x,gid=49x,vers=1 /axx/axn -vvv
mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
[...]
mount.cifs kernel mount options: ip=10.xx.xc.xc,unc=\\10.xx.xc.xc\qtree$,file_mode=0774,dir_mode=0775,credentials=/home/txc/.sambapassword.cifs,vers=1,uid=49x,gid=49x,ver=1,user=sxxxcccd,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

  • パケットトレースに「 NFS4ERR_WRONGSEC または 「Error: STATUS_ACCOUNT_LOCKED_OUT
  • Active Directoryユーザアカウントがロックされています

例:

::> set advanced
::*> vserver services access-check authentication show-creds -node node-01 -vserver svm -unix-user-name <root>

Vserver: sbm1 (internal ID: 40)

Error: Get user credentials procedure failed
[ 0 ms] Determined UNIX id 0 is UNIX user 'root'
[ 0] UNIX user 'root' mapped to Windows user 'DOMAIN\root'
[ 0] Using cached 'DOMAIN\root' SID mapping.
[ 11] Successfully connected to ip 10.20.40.80, port 88 using TCP
**[ 16] FAILURE: Could not get credentials via S4U2Self based on
** full Windows user name 'root@DOMAIN.LOCAL'. A  'root' or SID
'S-2-8-21-338539323-9078145449-725348543-25819'

Error: command failed: Failed to get user credentials. Reason: "Kerberos Error: Clients credentials have been revoked".

  • EMS 

例:

Mar 09 23:21:08 -0800 [node-01: secd: secd.cifsAuth.problem:error]: vserver (test) General CIFS authentication problem. Error: User authentication procedure failed (Retries: 2) CIFS SMB2 Share mapping - Client Ip = 10.100.XXX.XXX
[ 3001] Attempt 1 FAILURE: Unexpected state: Error 6776 at file:src/FrameWork/Socket.cpp func:ReceiveDataOnSocket line:1233 [ 6015] Attempt 2 FAILURE: Pass-through authentication request failed.
[6016 ms] Login attempt by domain user 'AD\user' it could be a client issue or a cache credential issue in the client.

  • SecDログに、ONTAPカウントがユーザのクレデンシャルを取得していないことが表示される

例:

            .------------------------------------------------------------------------------.
[kern_secd:info:10210] |                  RPC FAILURE:                  |
[kern_secd:info:10210] |            secd_rpc_auth_get_creds has failed            |
[kern_secd:info:10210] |             Result = 0, RPC Result = 7519             |
[kern_secd:info:10210] |           RPC received at Mon xxxxxxxxxxxxxxxx         |
[kern_secd:info:10210] |------------------------------------------------------------------------------'
[kern_secd:info:10210] Failure Summary:
[kern_secd:info:10210] Error: Get user credentials procedure failed
[kern_secd:info:10210]   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'
[kern_secd:info:10210]   [   218] UNIX user 'user1' mapped to Windows user 'domain\winuser'
[kern_secd:info:10210]   [   218] Using cached 'domain\winuser' SID mapping.
[kern_secd:info:10210]   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP
[kern_secd:info:10210] **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.local'. Access denied.
[kern_secd:info:10210]   [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
...
[kern_secd:info:10210] | [000.009.096]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:762
[kern_secd:info:10210] | [000.009.105]  ERR  :  getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Clients credentials have been revoked)
[kern_secd:info:10210] | [000.011.467]  ERR  :  Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.domain.COM'. Access denied. { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1211 }
[kern_secd:info:10210] | [000.011.475]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1212
[kern_secd:info:10210] | [000.011.481]  ERR  :  Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1240 }
[kern_secd:info:10210] | [000.011.486]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1540
[kern_secd:info:10210] | [000.011.512]  debug:  SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
[kern_secd:info:10210] | [000.011.569]  ERR  :  RESULT_ERROR_SECD_CIFS_CRED_LOOKUP_FAILED:6988 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:34

  • クライアント側で以下のエラーが報告されました: 
 [LOGON] [15120] SamLogon: Network logon of (null)\user1 from (null) (via SVM) Returns 0xC0000234 User Name: user1 Vserver: SVM Cluster-Name: cluster01 

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.