当 DC 启用 SMB3 加密时，SVM 无法连接到 DC

最后更新
另存为PDF

Views:: 86

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

适用于

ONTAP 9

问题描述

当 DC 启用 SMB3 加密时，SVM 无法连接到 DC。
CIFS 共享创建也可能失败：

The Active Directory machine account wasn't created for the following reason: SecD error: no server is available or the specified organizational unit wasn't found

DC 状态显示为"不可用"

::*> vserver cifs domain discovered-servers show

Node: CDOT-01

Vserver: test

Domain Name Type Preference DC-Name DC-Address Status

--------------- -------- ---------- --------------- --------------- ---------

naslab.local KERBEROS favored rodc 10.216.41.192 undetermined

naslab.local KERBEROS preferred win-aesid9bf636 10.216.41.191 undetermined

naslab.local KERBEROS preferred win-m2fcklun4l2 10.216.41.190 undetermined

naslab.local MS-LDAP favored RODC 10.216.41.192 undetermined

naslab.local MS-LDAP preferred win-aesid9bf636 10.216.41.191 undetermined

naslab.local MS-LDAP preferred win-m2fcklun4l2 10.216.41.190 undetermined

naslab.local MS-DC favored rodc 10.216.41.192 undetermined

naslab.local MS-DC preferred win-aesid9bf636 10.216.41.191 OK

naslab.local MS-DC preferred win-m2fcklun4l2 10.216.41.190 unavailable <<<<<<<<<< SVM fails to connect.

启用 SECD 跟踪后，SECD 日志显示 DC 无法处理来自 SVM 的会话建立请求，错误信息为"Access denied"（NT 错误 0xc0000022）

[kern_secd:info:8039] | [001.556.907]  info :  Successfully connected to ip 10.216.41.190, port 445 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:317 }
 [kern_secd:info:8039] | [001.558.049]  debug:  NEGOTIATE RESPONSE: DC selected SMB2/3 dialect 0x210  { in Smb2ParseNegotiateResponse() at src/Smb2/Smb2Negotiate.cpp:211 }
 [kern_secd:info:8039] | [001.558.055]  debug:  SIGNING: DC REQUIRES signing  { in Smb2ParseNegotiateResponse() at src/Smb2/Smb2Negotiate.cpp:216 }
 [kern_secd:info:8039] | [001.560.847]  info :  [krb5 context 10EEC600] Creating authenticator for TEST123$@NASLAB.LOCAL -> cifs/win-m2fcklun4l2.naslab.local@, seqnum 62567361, subkey aes256-cts/3FC8, session key aes256-cts/32F1
 [kern_secd:info:8039] | [001.565.821]  ERR  :  Encountered NT error (NT_STATUS_ACCESS_DENIED) for SMB command SessionSetup  { in LogNtStatusCode() at src/Commands/Commands.cpp:448 }
 [kern_secd:info:8039] | [001.565.834]  ERR  :  SMB2 response has NT error 0xc0000022  { in ParseSmb2HeaderResponse() at src/Smb2/Smb2Utils.cpp:313 }
 [kern_secd:info:8039] | [001.565.847]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in Smb2ParseSessionSetupResponse() at src/Smb2/Smb2SessionSetup.cpp:184
 [kern_secd:info:8039] | [001.565.854]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in Smb2SessionSetup() at src/Smb2/Smb2SessionSetup.cpp:275
 [kern_secd:info:8039] | [001.565.861]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in LogOnUserExtBody() at src/Actions/ActionsONTAP.cpp:2468
 [kern_secd:info:8039] | [001.567.323]  ERR  :  RESULT_ERROR_SECD_NO_CONNECTIONS_AVAILABLE:6942 in connectToDomainController() at src/connection_manager/secd_connection.cpp:246
 [kern_secd:info:8039] | [001.567.333]  debug:  Connected but failed to authenticate with DC win-m2fcklun4l2.naslab.local  { in connectToDomainController() at src/connection_manager/secd_connection.cpp:262 }

DC 已启用 SMB3 加密

PS C:\Users\Administrator.NASLAB> Get-SmbServerConfiguration |findstr "EncryptData"
 EncryptData            : True