跳转到主内容

NFS 对 NTFS 卷的访问失败,并显示 "access denied"

Views:
21
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

适用于

  • ONTAP 9
  • NFS
  • NTFS 安全类型卷

问题

  • NFS 用户在尝试访问 NFS 时收到 " 拒绝访问 " 消息 挂载( NTFS 安全模式)
  • 提取 NFS 用户 user1 的凭据失败 

Cluster::*> diag secd authentication show-creds -vserver svm1 -node node1 -unix-user-name user1
Vserver: svm1 (internal ID: 3)
Error: Get user credentials procedure failed
  [  0 ms] Determined UNIX id 8309 is UNIX user 'user1'
  [    0] UNIX user 'user1' mapped to Windows user
      'naslab\winuser'
  [    0] Using cached 'naslab\winuser' SID mapping.
  [    5] Successfully connected to ip 1x.xx.xx.xx, port 88
      using TCP
**[   10] FAILURE: Could not get credentials via S4U2Self based on
**      full Windows user name
**      'winuser@naslab.local'. Access
**      denied.
  [   10] Could not get credentials for Windows user 'winuser'
      or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'

  
Error: command failed: Failed to get user credentials. Reason: "Kerberos Error: Clients credentials have been revoked".

Secd 日志:

  • 通过 S4U2SELF 提取凭据失败,并显示错误 "clients credentials have 已撤销 "

            .------------------------------------------------------------------------------.
[kern_secd:info:10210] |                  RPC FAILURE:                  |
[kern_secd:info:10210] |            secd_rpc_auth_get_creds has failed            |
[kern_secd:info:10210] |             Result = 0, RPC Result = 7519             |
[kern_secd:info:10210] |           RPC received at Mon xxxxxxxxxxxxxxxx         |
[kern_secd:info:10210] |------------------------------------------------------------------------------'
[kern_secd:info:10210] Failure Summary:
[kern_secd:info:10210] Error: Get user credentials procedure failed
[kern_secd:info:10210]   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'
[kern_secd:info:10210]   [   218] UNIX user 'user1' mapped to Windows user 'naslab\winuser'
[kern_secd:info:10210]   [   218] Using cached 'naslab\winuser' SID mapping.
[kern_secd:info:10210]   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP
[kern_secd:info:10210] **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.local'. Access denied.
[kern_secd:info:10210]   [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
...
[kern_secd:info:10210] | [000.009.096]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:762
[kern_secd:info:10210] | [000.009.105]  ERR  :  getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Clients credentials have been revoked)
[kern_secd:info:10210] | [000.011.467]  ERR  :  Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.MARRCORP.MARRIOTT.COM'. Access denied. { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1211 }
[kern_secd:info:10210] | [000.011.475]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1212
[kern_secd:info:10210] | [000.011.481]  ERR  :  Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1240 }
[kern_secd:info:10210] | [000.011.486]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1540
[kern_secd:info:10210] | [000.011.512]  debug:  SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
[kern_secd:info:10210] | [000.011.569]  ERR  :  RESULT_ERROR_SECD_CIFS_CRED_LOOKUP_FAILED:6988 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348

EMS 日志:
[node1: secd: secd.nfsAuth.noCifsCred:error]: vserver (svm1) NFS authorization cannot retrieve CIFS credentials. Error: Get user credentials procedure failed   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'   [   218] UNIX user 'ftps' mapped to Windows user 'naslab\winuser'   [   218] Using cached 'naslab\winuser' SID mapping.   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.local'. Access denied.  [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' 
 

名称映射:

Cluster::*> vserver  name-mapping show -vserver  svm1
Vserver:   svm1
Direction: unix-win
Position Hostname      IP Address/Mask
-------- ---------------- ----------------
1     -          -           Pattern: user1
                      Replacement: naslab\\winuser

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support