由于在EMS中显示secd.keros.cocksw时身份验证失败、因此无法访问CIFS或SMB
适用场景
ONTAP 9
问题描述
- 无法访问CIFS或SMB、因为在EMS中显示
secd.kerberos.clockskew时身份验证失败 - 某些CIFS或SMB客户端可能会出现延迟、而其他客户端则可能不会出现延迟
- 已成功通过IP访问共享、但尝试通过主机名(\\hostname)或FQDN (\\hostname.domain.com)执行此操作失败。
- SECD.log
ERR : RESULT_ERROR_SECD_NO_SERVER_AVAILABLE:6940 in secd_rpc_auth_extended_1_svc() at authentication/secd_rpc_auth.cpp:749
debug: SecD RPC Server sending reply to RPC 151: secd_rpc_auth_extended { in secdSendRpcResponse() at server/secd_rpc_server.cpp:1405 }
ERR : Error: User authentication procedure failed
ERR : [ 0 ms] Login attempt by domain user 'CIFSLABAdministrator' using NTLMv1 style security
ERR : [ 0] No servers available for MS_NETLOGON, vserver: 3, domain: cifs.lab.netapp.com.
ERR : [ 22] Unable to connect to any of the provided DNS servers
ERR : [ 22] Connecting to NetLogon server a7-6.cifs.lab.netapp.com (172.17.192.24)
ERR : **[ 22] FAILURE: Unexpected state: Error 6810 at file:Common/ProtocolClientLibrary/Dns/DnsOps.cpp func:DnsNameLookup line:715
''' ERR : **[ 33] FAILURE: Cluster and Domain Controller times differ by more than the configured clock skew'''
ERR : [ 104] Unable to connect to a7-6.cifs.lab.netapp.com through the 10.53.21.46 interface
ERR : [ 104] No servers available for MS_NETLOGON, vserver: 3, domain: cifs.lab.netapp.com.
|------------------------------------------------------------------------------.
| RPC completed at Fri Oct 19 08:34:13 2012 |
| End of log for failed RPC secd_rpc_auth_extended |
'------------------------------------------------------------------------------'
- EMS 消息
10/18/2012 13:34:59 krbClus-01 ERROR secd.kerberos.clockskew: Kerberos client or node clock skew error (-1765328351).
- 显示了数据包跟踪
KRB5KRB_AP_ERR_TKT_NYV
A packet trace is only needed from the client to confirm this - we'd see a KRB5 packet:
1778 41.215954 172.17.193.122 10.53.21.46 SMB Session Setup AndX Request
1779 41.227968 10.53.21.46 172.17.193.122 SMB KRB Error: KRB5KRB_AP_ERR_TKT_NYV, Error: STATUS_MORE_PROCESSING_REQUIRED