メインコンテンツまでスキップ

PTRレコードが見つからないため、CIFSサーバのAES暗号化を変更すると「SecD Error:no server available」が表示される

Views:
128
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas<a>2008455847</a><a>Cloud Volume ONTAP(CVO)</a>
Last Updated:

環境

  • ONTAP 9.7
  • CIFS

問題

  • is-aes-encryption-enabled  false シツハイスルセツテイ

::> cifs security modify -vserver svm1 -is-aes-encryption-enabled false
Info: In order to disable CIFS AES encryption, the password for the CIFS server machine account must be reset. Enter the username and password for the CIFS domain
   "NASLAB.LOCAL".
Enter your user ID: administrator
Enter your password:
Error: command failed: Password update failed. Reason: SecD Error: no server available.

  • SecD:

.------------------------------------------------------------------------------.
|                  RPC FAILURE:                  |
|            secd_rpc_ad_get_dc_info has failed            |
|             Result = 0, RPC Result = 6940              |
|           RPC received at Thu Sep 24 13:42:26 2020           |
|------------------------------------------------------------------------------'
Failure Summary:
Error: Get DC Info procedure failed
  [  0 ms] No servers available for MS_LDAP_AD, vserver: 2, domain: naslab.local.
  [    2] Successfully connected to ip 10.xx.yy.191, port 389 using TCP
  [    4] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
  [   20] Successfully connected to ip 10.xx.yy.191, port 389 using TCP
  [   21] Entry for host-address: 10.xx.yy.191 not found in the current source: FILES. Ignoring and trying next available source
  [   22] Source: DNS unavailable. Entry for host-address:10.xx.yy.191 not found in any of the available sources
**[   22] FAILURE: Unable to SASL bind to LDAP server using GSSAPI: Local error
  [   22]   Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot determine realm for numeric host address)
  [   23] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
  [   57] Could not authenticate as 'SVM1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)
  [   57] Unable to connect to LDAP (Active Directory) service on win-aesid9bf636.naslab.local (Error: Local error)
  [   57] No servers available for MS_LDAP_AD, vserver: 2, domain: naslab.local.
  [   57] Unable to make a connection (LDAP (Active Directory):NASLAB.LOCAL), result: 6940

  • EMS:

cluster-01   DEBUG      secd.unexpectedFailure: vserver (svm1) Unexpected failure. Error: CIFS server password change procedure failed
  [  2 ms] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
  [    4] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
**[    6] FAILURE: CIFS server could not authenticate as 'SVM1$@NASLAB.LOCAL': Generic preauthentication failure (KRB5_PREAUTH_FAILED)

  • AD - LDAP 接続が使用するように設定されている sign (クライアントセッションセキュリティ)

::> cifs security show -vserver svm1 -fields session-security-for-ad-ldap
vserver   session-security-for-ad-ldap
--------- ----------------------------
svm1     sign

  • AD-LDAP(優先DC)接続: unavailable

::> vserver cifs domain discovered-servers show
Node: cluster-01
Vserver: svm1
Domain Name    Type    Preference DC-Name      DC-Address    Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local   KERBEROS preferred  win-aesid9bf636 10.xx.yy.191   undetermined
naslab.local   MS-LDAP  preferred  win-aesid9bf636 10.xx.yy.191  unavailable
naslab.local   MS-DC   preferred  win-aesid9bf636 10.xx.yy.191   OK

  • 検出モードはすでにnoneに設定されています(優先DCのみを使用)。

::> set adv
::*> vserver cifs domain discovered-servers discovery-mode show -vserver svm1
        Vserver: svm1
Server Discovery Mode: none 

  • Get-dc情報が失敗する 

::> set adv
::*> vserver services access-check authentication get-dc-info -vserver svm1
Error: command failed: RPC call to SecD failed. RPC: "SecD Error: no server available".  Reason: "".

  • DCのリバースルックアップが失敗する

::> set adv
::*> vserver services name-service getxxbyyy gethostbyaddr -vserver svm1 -ipaddress 10.xx.yy.191
Error: command failed: Failed to resolve 10.xx.yy.191. Reason: Unknown host.

  • トレースはDNS応答を示します。 No such name

57   05:24:18.155 0.001194000 10.xx.yy.18  10.xx.yy.191 30946,53 DNS Standard query 0x86d9 PTR 191.yy.xx.10.in-addr.arpa
58   05:24:18.157 0.001903000 10.xx.yy.191 10.xx.yy.18  53,30946 DNS Standard query response 0x86d9 No such name PTR 191.yy.xx.10.in-addr.arpa SOA dc91.naslab.local

 

 

 

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.