PTRレコードが見つからないため、CIFSサーバのAES暗号化を変更すると「SecD Error：no server available」が表示される

環境

• ONTAP 9.7
• CIFS

問題

• [セキュリティ]タブから権限を変更または追加しようとすると、Windows SMBクライアントで次のエラーが発生します。

“The program cannot open the required dialog box because it cannot determine whether the computer named “cifs -server” is joined to a domain. Close this message, and try again.”

• 新しいCIFSサーバの作成も失敗します。
• is-aes-encryption-enabled  をfalse設定すると失敗する

::> cifs security modify -vserver svm1 -is-aes-encryption-enabled false
Info: In order to disable CIFS AES encryption, the password for the CIFS server machine account must be reset. Enter the username and password for the CIFS domain
   "NASLAB.LOCAL".
Enter your user ID: administrator
Enter your password:
Error: command failed: Password update failed. Reason: SecD Error: no server available.

• SecD：

.------------------------------------------------------------------------------.
|                  RPC FAILURE:                  |
|            secd_rpc_ad_get_dc_info has failed            |
|             Result = 0, RPC Result = 6940              |
|           RPC received at Thu Sep 24 13:42:26 2020           |
|------------------------------------------------------------------------------'
Failure Summary:
Error: Get DC Info procedure failed
  [  0 ms] No servers available for MS_LDAP_AD, vserver: 2, domain: naslab.local.
  [    2] Successfully connected to ip 10.xx.yy.191, port 389 using TCP
  [    4] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
  [   20] Successfully connected to ip 10.xx.yy.191, port 389 using TCP
  [   21] Entry for host-address: 10.xx.yy.191 not found in the current source: FILES. Ignoring and trying next available source
  [   22] Source: DNS unavailable. Entry for host-address:10.xx.yy.191 not found in any of the available sources
**[   22] FAILURE: Unable to SASL bind to LDAP server using GSSAPI: Local error
  [   22]   Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot determine realm for numeric host address)
  [   23] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
  [   57] Could not authenticate as 'SVM1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)
  [   57] Unable to connect to LDAP (Active Directory) service on win-aesid9bf636.naslab.local (Error: Local error)
  [   57] No servers available for MS_LDAP_AD, vserver: 2, domain: naslab.local.
  [   57] Unable to make a connection (LDAP (Active Directory):NASLAB.LOCAL), result: 6940

• EMS：

cluster-01   DEBUG      secd.unexpectedFailure: vserver (svm1) Unexpected failure. Error: CIFS server password change procedure failed
  [  2 ms] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
  [    4] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
**[    6] FAILURE: CIFS server could not authenticate as 'SVM1$@NASLAB.LOCAL': Generic preauthentication failure (KRB5_PREAUTH_FAILED)

8/7/2024 15:58:01   node01    ERROR     secd.unexpectedFailure: Unexpected SecD failure in Vserver "PINTAIL3_dest". Details: Error: Get DC Info procedure failed
CIFS Domain Query via LSAR_DS_ROLE_GET_DOMAIN_INFO - Client Ip = 10.2xx.xc.xc User = xcx\Sebxcvcc
  [ 2089] Successfully connected to ip 10.10.2xx.xx, port 88 using TCP
  [  2107] Successfully connected to ip 10.1x2xx.1xx, port 389 using TCP
  [  2108] Source: DNS unavailable. Ignoring and trying next available source for host-address: 10.10.2xx.1xx
  [  2108] Entry for host-address: 10.10.2xx.1xx not found in the current source: FILES. Entry for host-address: 10.10.2xx.1xx not found in any of the available sources

• AD-LDAP 接続がsign （クライアントセッションセキュリティ）を使用するように設定されている

::> cifs security show -vserver svm1 -fields session-security-for-ad-ldap
vserver   session-security-for-ad-ldap
--------- ----------------------------
svm1     sign

• AD-LDAP（優先DC）接続： unavailable/undetermined

::> vserver cifs domain discovered-servers show
Node: cluster-01
Vserver: svm1
Domain Name    Type    Preference DC-Name      DC-Address    Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local   KERBEROS preferred  win-aesid9bf636 10.xx.yy.191  undetermined
naslab.local   MS-LDAP  preferred  win-aesid9bf636 10.xx.yy.191  unavailable
naslab.local   MS-DC   preferred  win-aesid9bf636 10.xx.yy.191   OK

• 検出モードはすでにnoneに設定されています（優先DCのみを使用）。

::> set adv
::*> vserver cifs domain discovered-servers discovery-mode show -vserver svm1
        Vserver: svm1
Server Discovery Mode: none 

• Get-dc情報が失敗する 

::> set adv
::*> vserver services access-check authentication get-dc-info -vserver svm1
Error: command failed: RPC call to SecD failed. RPC: "SecD Error: no server available".  Reason: "".

• DCのリバースルックアップが失敗する

::> set adv
::*> vserver services name-service getxxbyyy gethostbyaddr -vserver svm1 -ipaddress 10.xx.yy.191
Error: command failed: Failed to resolve 10.xx.yy.191. Reason: Unknown host.

• トレースはDNS応答を示します。 No such name

57   05:24:18.155 0.001194000 10.xx.yy.18  10.xx.yy.191 30946,53 DNS Standard query 0x86d9 PTR 191.yy.xx.10.in-addr.arpa
58   05:24:18.157 0.001903000 10.xx.yy.191 10.xx.yy.18  53,30946 DNS Standard query response 0x86d9 No such name PTR 191.yy.xx.10.in-addr.arpa SOA dc91.naslab.local

• session-security-for-ad-ldap シール/署名