CIFSサーバのAES暗号化の変更が「Kerberos Error：KDC has no support for encryption type」というメッセージで失敗します

最後の更新
PDFとして保存

Views:: 153

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas<a>2008455847</a>

Last Updated:

環境

ONTAP 9
Cloud Volume ONTAP（CVO）
CIFS

問題

AESを無効にする場合：

::> vserver cifs security modify -vserver vs1 -is-aes-encryption-enabled false

Info: In order to disable CIFS AES encryption, the password for the CIFS server machine account must be reset. Enter the

username and password for the CIFS domain "NASLAB.LOCAL".

Enter your user ID: administrator

Enter your password:

Error: command failed: Password update failed. Reason: Kerberos Error: KDC has no support for encryption type.

SecDログ：
- AESセキュリティオプションを変更すると、SVMのAD内のマシンアカウントパスワードが変更されます。
- SecDログにAD-LDAPへのTCP接続の失敗が表示されるため、LDAPバインドが失敗しました。
- LDAPのバインドに失敗したため、SVMはCIFSサーバのmsDS-SupportedEncryptionTypesを更新できません。
- RPC呼び出しが失敗するため、CIFSセキュリティの「is-aes-encryption-enabled」の変更が失敗します。

.-----------------------------------------------------------------------------.
 |                  RPC FAILURE:                  |
 |           secd_rpc_ad_reset_password has failed  |
 |             Result = 0, RPC Result = 6942          |
 |           RPC received at Mon Sep 21 06:33:28 2020|
 |-----------------------------------------------------------------------------'
 Failure Summary:
 Error: CIFS server password reset procedure failed
   ...
   [  2286] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
   [  4344] TCP connection to ip 10.aa.bb.10, port 389 via interface 10.aa.cc.dd failed: Operation timed out.
   [  4344] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server
   [  4344] Unable to connect to LDAP (Active Directory) service on dc1.naslab.local (Error: Can't contact LDAP server)
   [  4348] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
   [  4491] Could not authenticate as 'VS1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)
   [  4494] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
   [  6544] TCP connection to ip 10.aa.bb.11, port 389 via interface 10.aa.cc.dd failed: Operation timed out.
   [  6544] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server
   [  6544] Unable to connect to LDAP (Active Directory) service on dc2.naslab.local (Error: Can't contact LDAP server)
   [  6547] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
   [  6732] Could not authenticate as 'VS1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)
   [  6735] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
   [  8803] TCP connection to ip 10.aa.bb.3, port 389 via interface 10.aa.cc.dd failed: Operation timed out.
   [  8803] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server
   [  8803] Unable to connect to LDAP (Active Directory) service on dc3.naslab.local (Error: Can't contact LDAP server)
   [  8803] Unable to make a connection (LDAP (Active Directory):SF.PRIV), result: 6942
   [  8803] Retry requested, but the retry window (7000 ms) has expired; giving up.

コマンド vserver cifs domain discovered-servers show -vserver vs1 で MS-LDAPが Unavailable またはと表示される Unreachable