跳转到主内容

ADアカウントがロックされているためにアクセスが拒否され、NTFSボリュームへのNFSアクセスが失敗する-disabled-expired

Views:
39
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

環境

  • ONTAP 9.3以降
  • NFS
  • NTFSセキュリティ形式のボリューム

問題

  •  有効なNTFS セキュリティ形式でNFSマウントにアクセスしようとすると、NFSユーザに対してアクセスが拒否される
  • NFSパスにアクセスできず、権限拒否エラーを取得しています。
  • NFSユーザuser1のクレデンシャルの取得が失敗する 

Cluster::*> diag secd authentication show-creds -vserver svm1 -node node1 -unix-user-name user1
Vserver: svm1 (internal ID: 3)
Error: Get user credentials procedure failed
  [  0 ms] Determined UNIX id 8309 is UNIX user 'user1'
  [    0] UNIX user 'user1' mapped to Windows user
      'domain\winuser'
  [    0] Using cached 'domain\winuser' SID mapping.
  [    5] Successfully connected to ip 1x.xx.xx.xx, port 88
      using TCP
**[   10] FAILURE: Could not get credentials via S4U2Self based on
**      full Windows user name
**      'winuser@domain.local'. Access
**      denied.
  [   10] Could not get credentials for Windows user 'winuser'
      or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'

Error: command failed: Failed to get user credentials. Reason: "Kerberos Error: Clients credentials have been revoked".

  • S4U2SELFを使用した認証情報の取得に失敗するSecDログ

            .------------------------------------------------------------------------------.
[kern_secd:info:10210] |                  RPC FAILURE:                  |
[kern_secd:info:10210] |            secd_rpc_auth_get_creds has failed            |
[kern_secd:info:10210] |             Result = 0, RPC Result = 7519             |
[kern_secd:info:10210] |           RPC received at Mon xxxxxxxxxxxxxxxx         |
[kern_secd:info:10210] |------------------------------------------------------------------------------'
[kern_secd:info:10210] Failure Summary:
[kern_secd:info:10210] Error: Get user credentials procedure failed
[kern_secd:info:10210]   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'
[kern_secd:info:10210]   [   218] UNIX user 'user1' mapped to Windows user 'domain\winuser'
[kern_secd:info:10210]   [   218] Using cached 'domain\winuser' SID mapping.
[kern_secd:info:10210]   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP
[kern_secd:info:10210] **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.local'. Access denied.
[kern_secd:info:10210]   [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
...
[kern_secd:info:10210] | [000.009.096]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:762
[kern_secd:info:10210] | [000.009.105]  ERR  :  getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Clients credentials have been revoked)
[kern_secd:info:10210] | [000.011.467]  ERR  :  Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.domain.COM'. Access denied. { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1211 }
[kern_secd:info:10210] | [000.011.475]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1212
[kern_secd:info:10210] | [000.011.481]  ERR  :  Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1240 }
[kern_secd:info:10210] | [000.011.486]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1540
[kern_secd:info:10210] | [000.011.512]  debug:  SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
[kern_secd:info:10210] | [000.011.569]  ERR  :  RESULT_ERROR_SECD_CIFS_CRED_LOOKUP_FAILED:6988 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348

  • EMSログ:

[node1: secd: secd.nfsAuth.noCifsCred:error]: vserver (svm1) NFS authorization cannot retrieve CIFS credentials. Error: Get user credentials procedure failed   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'   [   218] UNIX user 'ftps' mapped to Windows user 'domain\winuser'   [   218] Using cached 'domain\winuser' SID mapping.   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.local'. Access denied.  [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' 

  • ネームマッピング:

::> set adv
::*> vserver name-mapping show -vserver  svm1
Vserver:   svm1
Direction: unix-win
Position Hostname      IP Address/Mask
-------- ---------------- ----------------
1     -          -           Pattern: user1
                      Replacement: domain\\winuser

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.