ADアカウントがlocked-disabled-expiredになっているため、NTFSボリュームへのNFSアクセスが「access denied」で失敗します

環境

• ONTAP 9.3 以降。
• NFS
• NTFS セキュリティ形式のボリューム

問題

• NTFSセキュリティ形式のNFSマウントにアクセスしようとすると、NFSユーザに対してアクセスが拒否されました
• user1 という NFS ユーザのクレデンシャルの読み込みは失敗します 

Cluster::*> diag secd authentication show-creds -vserver svm1 -node node1 -unix-user-name user1
Vserver: svm1 (internal ID: 3)
Error: Get user credentials procedure failed
  [  0 ms] Determined UNIX id 8309 is UNIX user 'user1'
  [    0] UNIX user 'user1' mapped to Windows user
      'naslab\winuser'
  [    0] Using cached 'naslab\winuser' SID mapping.
  [    5] Successfully connected to ip 1x.xx.xx.xx, port 88
      using TCP
**[   10] FAILURE: Could not get credentials via S4U2Self based on
**      full Windows user name
**      'winuser@naslab.local'. Access
**      denied.
  [   10] Could not get credentials for Windows user 'winuser'
      or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'

Error: command failed: Failed to get user credentials. Reason: "Kerberos Error: Clients credentials have been revoked".

• SecDがS4U2SELF経由でクレデンシャルの読み込みに失敗します

            .------------------------------------------------------------------------------.
[kern_secd:info:10210] |                  RPC FAILURE:                  |
[kern_secd:info:10210] |            secd_rpc_auth_get_creds has failed            |
[kern_secd:info:10210] |             Result = 0, RPC Result = 7519             |
[kern_secd:info:10210] |           RPC received at Mon xxxxxxxxxxxxxxxx         |
[kern_secd:info:10210] |------------------------------------------------------------------------------'
[kern_secd:info:10210] Failure Summary:
[kern_secd:info:10210] Error: Get user credentials procedure failed
[kern_secd:info:10210]   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'
[kern_secd:info:10210]   [   218] UNIX user 'user1' mapped to Windows user 'naslab\winuser'
[kern_secd:info:10210]   [   218] Using cached 'naslab\winuser' SID mapping.
[kern_secd:info:10210]   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP
[kern_secd:info:10210] **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.local'. Access denied.
[kern_secd:info:10210]   [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
...
[kern_secd:info:10210] | [000.009.096]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:762
[kern_secd:info:10210] | [000.009.105]  ERR  :  getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Clients credentials have been revoked)
[kern_secd:info:10210] | [000.011.467]  ERR  :  Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.MARRCORP.MARRIOTT.COM'. Access denied. { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1211 }
[kern_secd:info:10210] | [000.011.475]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1212
[kern_secd:info:10210] | [000.011.481]  ERR  :  Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1240 }
[kern_secd:info:10210] | [000.011.486]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1540
[kern_secd:info:10210] | [000.011.512]  debug:  SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
[kern_secd:info:10210] | [000.011.569]  ERR  :  RESULT_ERROR_SECD_CIFS_CRED_LOOKUP_FAILED:6988 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348

• EMS ログ：

[node1: secd: secd.nfsAuth.noCifsCred:error]: vserver (svm1) NFS authorization cannot retrieve CIFS credentials. Error: Get user credentials procedure failed   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'   [   218] UNIX user 'ftps' mapped to Windows user 'naslab\winuser'   [   218] Using cached 'naslab\winuser' SID mapping.   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.local'. Access denied.  [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' 

• ネームマッピング：

::> set adv
::*> vserver name-mapping show -vserver  svm1
Vserver:   svm1
Direction: unix-win
Position Hostname      IP Address/Mask
-------- ---------------- ----------------
1     -          -           Pattern: user1
                      Replacement: naslab\\winuser