S4U2selfおよびLDAPのONTAP Windowsユーザクレデンシャル手順が失敗しました
環境
- ONTAP 9
- CIFS
問題
- ONTAP CLIからのWindowsクレデンシャルの収集が失敗する
invalid ldap result
例
cluster01::*> vserver security file-directory show-effective-permissions -vserver svm1 -win-user-name domain.local\administrator -path /vol1
Error: Get user credentials procedure failed
[ 0 ms] Using cached S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500 to 'DOMAIN\Administrator' mapping
[ 5] Successfully connected to ip xxx.xx.xx.59, port 88 using TCP
[ 39] Could not get credentials via S4U2Self based on full Windows username 'Administrator@domain.local'. Continuing to LDAP.
[ 45] Successfully connected to ip 185.31.21.197, port 389 using TCP
[ 55] FAILURE: Cannot get credentials for SID 'S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500'. No associated primary group.
[ 55] Could not get credentials via LDAP for Windows user 'Administrator' based on SID 'S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500'
[ 55] Could not get credentials for Windows user 'Administrador' or SID 'S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500'
Error: show failed: Failed to get user credentials. Reason: "SecD Error: invalid ldap result".
- SecD ログでKerberosが次のエラーで失敗します。
[000.042.221] info : [krb5 context 08E11400] TGS reply is for Administrator@domain.local ->svm1$\@DOMAIN.LOCAL@DOMAIN.LOCAL with session key rc4-hmac/142A
[000.042.579] ERR : RESULT_ERROR_KERBEROS_UNKNOWN_ERROR:7556 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:771
[000.042.593] ERR : getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Wrong principal in request)
- SecDログのLDAPが次のエラーで失敗します。
[000.055.330] debug: Searching LDAP for the "PrimaryGroupId" attribute(s) within base "<SID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>" (scope: 0) using filter: (objectClass=*) { in searchLdap() at src/utils/secd_ldap_utils.cpp:318 }
[000.057.214] ERR : RESULT_ERROR_SECD_INVALID_LDAP_RESULT:6947 in adGetPrimaryGroupRid() at src/utils/secd_ad_utils.cpp:3052
[000.057.229] ERR : Cannot get credentials for SID 'S-1-5-21-xxxxxxxxx-xxxxxxxxxxx-xxxxxxxxx-500'. No associated primary group. { in getCredentialsFromSid() at src/authorization/secd_cifs_authorization.cpp:1291 }