跳转到主内容

在 DC 上启用 SMB 3 加密时、 SVM 无法连接到 DC

Views:
33
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

适用于

  ONTAP 9

问题

  • 在 DC 上启用 SMB 3 加密时、 SVM 无法连接到 DC 。 
  • DC 的状态显示“不可用”  
::*> vserver cifs domain discovered-servers show
Node: CDOT-01
Vserver: test
 
Domain Name   Type   Preference DC-Name     DC-Address    Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local   KERBEROS favored   rodc       10.216.41.192  undetermined
naslab.local   KERBEROS preferred  win-aesid9bf636 10.216.41.191  undetermined
naslab.local   KERBEROS preferred  win-m2fcklun4l2 10.216.41.190  undetermined
naslab.local   MS-LDAP  favored   RODC       10.216.41.192  undetermined
naslab.local   MS-LDAP  preferred  win-aesid9bf636 10.216.41.191  undetermined
naslab.local   MS-LDAP  preferred  win-m2fcklun4l2 10.216.41.190  undetermined
naslab.local   MS-DC   favored   rodc       10.216.41.192  undetermined
naslab.local   MS-DC   preferred  win-aesid9bf636 10.216.41.191  OK
naslab.local   MS-DC   preferred win-m2fcklun4l2 10.216.41.190  unavailable  <<<<<<<<<< SVM fails to connect.
 
  • 如果启用了 Secd 跟踪功能、 Secd 日志显示 DC 未能通过 SVM 的会话设置请求、并且“访问被拒绝”( NT 错误 0xC0000022 )
[kern_secd:info:8039] | [001.556.907]  info :  Successfully connected to ip 10.216.41.190, port 445 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:317 }
[kern_secd:info:8039] | [001.558.049]  debug:  NEGOTIATE RESPONSE: DC selected SMB2/3 dialect 0x210  { in Smb2ParseNegotiateResponse() at src/Smb2/Smb2Negotiate.cpp:211 }
[kern_secd:info:8039] | [001.558.055]  debug:  SIGNING: DC REQUIRES signing  { in Smb2ParseNegotiateResponse() at src/Smb2/Smb2Negotiate.cpp:216 }
[kern_secd:info:8039] | [001.560.847]  info :  [krb5 context 10EEC600] Creating authenticator for TEST123$@NASLAB.LOCAL -> cifs/win-m2fcklun4l2.naslab.local@, seqnum 62567361, subkey aes256-cts/3FC8, session key aes256-cts/32F1
[kern_secd:info:8039] | [001.565.821]  ERR  :  Encountered NT error (NT_STATUS_ACCESS_DENIED) for SMB command SessionSetup  { in LogNtStatusCode() at src/Commands/Commands.cpp:448 }
[kern_secd:info:8039] | [001.565.834]  ERR  :  SMB2 response has NT error 0xc0000022  { in ParseSmb2HeaderResponse() at src/Smb2/Smb2Utils.cpp:313 }
[kern_secd:info:8039] | [001.565.847]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in Smb2ParseSessionSetupResponse() at src/Smb2/Smb2SessionSetup.cpp:184
[kern_secd:info:8039] | [001.565.854]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in Smb2SessionSetup() at src/Smb2/Smb2SessionSetup.cpp:275
[kern_secd:info:8039] | [001.565.861]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in LogOnUserExtBody() at src/Actions/ActionsONTAP.cpp:2468
[kern_secd:info:8039] | [001.567.323]  ERR  :  RESULT_ERROR_SECD_NO_CONNECTIONS_AVAILABLE:6942 in connectToDomainController() at src/connection_manager/secd_connection.cpp:246
[kern_secd:info:8039] | [001.567.333]  debug:  Connected but failed to authenticate with DC win-m2fcklun4l2.naslab.local  { in connectToDomainController() at src/connection_manager/secd_connection.cpp:262 }
 
  • DC 已启用 SMB 3 加密
PS C:\Users\Administrator.NASLAB> Get-SmbServerConfiguration |findstr "EncryptData"
EncryptData            : True

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.