メインコンテンツまでスキップ

S4U2selfおよびLDAPのONTAP Windowsユーザクレデンシャル手順が失敗しました

Views:
57
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

環境

  • ONTAP 9
  • CIFS

問題

  • ONTAP CLIからのWindowsクレデンシャルの収集が失敗する invalid ldap result

cluster01::*> vserver security file-directory show-effective-permissions -vserver svm1 -win-user-name domain.local\administrator -path /vol1

Error: Get user credentials procedure failed
[  0 ms] Using cached S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500 to 'DOMAIN\Administrator' mapping
[    5] Successfully connected to ip xxx.xx.xx.59, port 88 using TCP
[   39] Could not get credentials via S4U2Self based on full Windows username 'Administrator@domain.local'. Continuing to LDAP.
[   45] Successfully connected to ip 185.31.21.197, port 389 using TCP
[   55] FAILURE: Cannot get credentials for SID 'S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500'. No associated primary group.
[   55] Could not get credentials via LDAP for Windows user 'Administrator' based on SID 'S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500'
[   55] Could not get credentials for Windows user 'Administrador' or SID 'S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-500'
Error: show failed: Failed to get user credentials. Reason: "SecD Error: invalid ldap result".

 

  • SecD ログでKerberosが次のエラーで失敗します。

[000.042.221]  info :  [krb5 context 08E11400] TGS reply is for Administrator@domain.local ->svm1$\@DOMAIN.LOCAL@DOMAIN.LOCAL with session key rc4-hmac/142A
[000.042.579]  ERR  :  RESULT_ERROR_KERBEROS_UNKNOWN_ERROR:7556 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:771
[000.042.593]  ERR  :  getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Wrong principal in request)

  • SecDログのLDAPが次のエラーで失敗します。                                                                                              

[000.055.330]  debug:  Searching LDAP for the "PrimaryGroupId" attribute(s) within base "<SID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>" (scope: 0) using filter: (objectClass=*)  { in searchLdap() at src/utils/secd_ldap_utils.cpp:318 }
[000.057.214]  ERR  :  RESULT_ERROR_SECD_INVALID_LDAP_RESULT:6947 in adGetPrimaryGroupRid() at src/utils/secd_ad_utils.cpp:3052
[000.057.229]  ERR  :  Cannot get credentials for SID 'S-1-5-21-xxxxxxxxx-xxxxxxxxxxx-xxxxxxxxx-500'. No associated primary group. { in getCredentialsFromSid() at src/authorization/secd_cifs_authorization.cpp:1291 }

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.

 

  • この記事は役に立ちましたか?