如何对 Windows Active Directory 中的 LDAP 问题进行故障排除
执行
执行
适用场景
- ONTAP 9
问题描述
有关 Active Directory LDAP 和集群模式 Data ONTAP 的更多详细信息和最新信息,请参见TR-4073 :安全统一身份验证。
在集群模式secd下使用 LDAP 时,会利用 mhost 进程 "" 。此过程负责用户身份验证(名称映射)。名称映射中发生的问题会记录到/mroot/etc/mlog文件中的 secd 日志中。
默认情况::*> diag secd trace set -node node-01 -module-names name-mapping -trace-all YES
Trace spec set successfully.
::*> diag secd trace show -node node-01
Trace Spec
---------------------------------------
TraceAll: Tracing all RPCs
Modules: NameMappingoptions cifs.trace_login下,除非指定,否则名称映射失败不会记录在 secd 日志中:此行为在 Data ONTAP 7- 模式中相同,必须启用此模式才能在日志中查看跟踪匹配失败。
如果名称映射失败,则会显示以下内容:Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |------------------------------------------------------------------------------
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | TRACE MATCH |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | RPC secd_rpc_map_name succeeded and is being dumped because of a tracing |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | match on: |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | All |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | RPC recevied at Thu Sep 15 16:55:38 2011 |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |------------------------------------------------------------------------------'
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.032] debug: SecD RPC Server received RPC from MGMT. RPC 351: secd_rpc_map_name { in secd_prog_1() at server/secd_rpc_server.cpp:806 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.103] debug: Setting thread context. VServerId = 6, Protocol = NONE, lifId = 0 { in setThreadContext() at utils/secd_thread_data_manager.cpp:172 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.121] debug: secd_rpc_map_name_1_svc called with vserverid = 6 { in secd_rpc_map_name_1_svc() at name_mapping/secd_rpc_map_name.cpp:50 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.168] debug: Attempting to map name ldap using the cluster mapping store { in getAppropriateWindowsToUnixMapping() at name_mapping/secd_name_mapping.cpp:385 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.207] debug: IDS_FROM_USER_NAME ldapInfoType requested.
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] { in getLdapInfoFromName() at authorization/secd_ldap_unix_authorization.cpp:552 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.239] debug: Looking for LDAP (NIS & Name Mapping) cache (key: "") in vserver 6 { in getConnectionCache() at connection_manager/secd_connection_cache.cpp:450 } 000000ad.0000150a 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.255] debug: Looking for a connection to LDAP (NIS & Name Mapping) { in getConnection() at connection_manager/secd_connection_manager.cpp:547 } 000000ad.0000150b 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.268] debug: Acquiring a new LDAP (NIS & Name Mapping) connection; favoring cache { in getBestConnection() at connection_manager/secd_connection_manager.cpp:716 } Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.282] debug: Did not find an available connection in the cache { in getBestCachedConnection() at connection_manager/secd_connection_cache.cpp:224 } 000000ad.0000150d 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.304] debug: Reserving a new LDAP (NIS & Name Mapping) server from discovery { in getBestConnection() at connection_manager/secd_connection_manager.cpp:728 } 000000ad.0000150e 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.324] debug: Created service key: 00000006..LDAP_NIS_AND_NAME_MAPPING { in makeServiceKey() at server_discovery/secd_service_list.cpp:150 } Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.356] debug: Discovery returned 10.61.70.5 (10.61.70.5) { in getBestConnection() at connection_manager/secd_connection_manager.cpp:743 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.377] debug: Connecting to LDAP (NIS & Name Mapping) server 10.61.70.5 { in addStartConnectionJournal() at connection_manager/secd_connection_manager.cpp:462 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.652] debug: Successfully authenticated over LDAP with 10.61.70.5 { in connect<LdapConnectionState>() at connection_manager/secd_connection.cpp:971 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.688] debug: Connected to new LDAP (NIS & Name Mapping) service on 10.61.70.5 { in makeConnectionAttempt() at connection_manager/secd_connection_manager.cpp:846 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.929] debug: Searching LDAP for the "uidNumber, gidNumber" attribute(s) within base "CN=users,DC=domain,DC=com" (scope: -1) using filter: (&(objectClass=User)(sAMAccountName=ldap)) { in searchLdap() at utils/secd_ldap_utils.cpp:200 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.352] ERR : 1057 in searchLdap() at utils/secd_ldap_utils.cpp:215
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.386] ERR : searchLdap: LDAP Error: (80): 'Internal (implementation specific) error':
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.399] ERR : 1057 in getLdapInfoFromName() at authorization/secd_ldap_unix_authorization.cpp:652
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.465] debug: Closing service handle; reporting status 1 { in ~SecdConnection() at ../bedrock/obj/x86_64/secd/../../../export/common/headers/include/secd/secd_connection.h:106 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.488] ERR : 1057 in getIdsFromUserName() at authorization/secd_ldap_unix_authorization.cpp:139
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.505] warn : Failed to get an ID for name ldap using UNIX authorization source LDAP, Error: 1057; ignoring; will try next source { in handleNameAuthResult() at authorization/secd_unix_authorization.cpp:68 } 000000ad.0000151a 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.575] debug: SecD RPC Server sending reply to RPC 351: secd_rpc_map_name { in secdSendRpcResponse() at server/secd_rpc_server.cpp:1093 }
名称映射跟踪表示以下内容:
- LDAP 名称映射失败以及正在尝试的用户
- 用于映射用户的 LDAP
- 用于搜索的基础 DN
- 故障期间请求的属性
- 已使用筛选器
- 已联系 LDAP 服务器,如果已正确连接 LDAP 服务器
- LDAP 连接是否已缓存
- 请求的 SVM ID