ADアカウントがロックされているためにアクセスが拒否され、NTFSボリュームへのNFSアクセスが失敗する-disabled-expired
環境
- ONTAP 9.3以降
- NFS
- NTFSセキュリティ形式のボリューム
問題
- 有効なNTFS セキュリティ形式でNFSマウントにアクセスしようとすると、NFSユーザに対してアクセスが拒否される
- NFSパスにアクセスできず、権限拒否エラーを取得しています。
- NFSユーザuser1のクレデンシャルの取得が失敗する
Cluster::*> diag secd authentication show-creds -vserver svm1 -node node1 -unix-user-name user1
Vserver: svm1 (internal ID: 3)
Error: Get user credentials procedure failed
[ 0 ms] Determined UNIX id 8309 is UNIX user 'user1'
[ 0] UNIX user 'user1' mapped to Windows user
'domain\winuser'
[ 0] Using cached 'domain\winuser' SID mapping.
[ 5] Successfully connected to ip 1x.xx.xx.xx, port 88
using TCP
**[ 10] FAILURE: Could not get credentials via S4U2Self based on
** full Windows user name
** 'winuser@domain.local'. Access
** denied.
[ 10] Could not get credentials for Windows user 'winuser'
or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
Error: command failed: Failed to get user credentials. Reason: "Kerberos Error: Clients credentials have been revoked".
- S4U2SELFを使用した認証情報の取得に失敗するSecDログ
.------------------------------------------------------------------------------.
[kern_secd:info:10210] | RPC FAILURE: |
[kern_secd:info:10210] | secd_rpc_auth_get_creds has failed |
[kern_secd:info:10210] | Result = 0, RPC Result = 7519 |
[kern_secd:info:10210] | RPC received at Mon xxxxxxxxxxxxxxxx |
[kern_secd:info:10210] |------------------------------------------------------------------------------'
[kern_secd:info:10210] Failure Summary:
[kern_secd:info:10210] Error: Get user credentials procedure failed
[kern_secd:info:10210] [ 1 ms] Determined UNIX id 8309 is UNIX user 'user1'
[kern_secd:info:10210] [ 218] UNIX user 'user1' mapped to Windows user 'domain\winuser'
[kern_secd:info:10210] [ 218] Using cached 'domain\winuser' SID mapping.
[kern_secd:info:10210] [ 221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP
[kern_secd:info:10210] **[ 225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.local'. Access denied.
[kern_secd:info:10210] [ 225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
...
[kern_secd:info:10210] | [000.009.096] ERR : RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:762
[kern_secd:info:10210] | [000.009.105] ERR : getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Clients credentials have been revoked)
[kern_secd:info:10210] | [000.011.467] ERR : Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.domain.COM'. Access denied. { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1211 }
[kern_secd:info:10210] | [000.011.475] ERR : RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1212
[kern_secd:info:10210] | [000.011.481] ERR : Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1240 }
[kern_secd:info:10210] | [000.011.486] ERR : RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1540
[kern_secd:info:10210] | [000.011.512] debug: SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
[kern_secd:info:10210] | [000.011.569] ERR : RESULT_ERROR_SECD_CIFS_CRED_LOOKUP_FAILED:6988 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348
- EMSログ:
[node1: secd: secd.nfsAuth.noCifsCred:error]: vserver (svm1) NFS authorization cannot retrieve CIFS credentials. Error: Get user credentials procedure failed [ 1 ms] Determined UNIX id 8309 is UNIX user 'user1' [ 218] UNIX user 'ftps' mapped to Windows user 'domain\winuser' [ 218] Using cached 'domain\winuser' SID mapping. [ 221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP **[ 225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.local'. Access denied. [ 225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
- ネームマッピング:
::> set adv
::*> vserver name-mapping show -vserver svm1
Vserver: svm1
Direction: unix-win
Position Hostname IP Address/Mask
-------- ---------------- ----------------
1 - - Pattern: user1
Replacement: domain\\winuser