跳转到主内容

如何对 Windows Active Directory 中的 LDAP 问题进行故障排除

Views:
73
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

执行

执行

适用场景

  • ONTAP 9

问题描述

有关Active Directory LDAP 和集群模式Data ONTAP的更多详细和最新信息,请参见 TR-4073:《 安全统一身份验证》。

在集群模式下使用LDAP时、secd会利用mhost进程""。此过程负责用户身份验证(名称映射)。名称映射中出现的问题会记录到 /mroot/etc/mlog 文件中的secd日志中。

默认情况下、除非指定、否则名称映射失败不会记录在secd日志

::*> diag secd trace set -node node-01 -module-names name-mapping -trace-all YES
Trace spec set successfully.

::*> diag secd trace show -node node-01
Trace Spec
---------------------------------------
TraceAll:                     Tracing all RPCs
Modules:                      NameMapping


中:此行为在Data ONTAP 7-模式中相同、其中 options cifs.trace_login 必须启用才能查看日志中的跟踪匹配失败。

如果名称映射失败、则会显示以下内容:

Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |------------------------------------------------------------------------------
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                                 TRACE MATCH                                  |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |   RPC secd_rpc_map_name succeeded and is being dumped because of a tracing   |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                                  match on:                                   |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                                     All                                      |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                   RPC recevied at Thu Sep 15 16:55:38 2011                   |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |------------------------------------------------------------------------------'
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.032]  debug:  SecD RPC Server received RPC from MGMT.  RPC 351: secd_rpc_map_name  { in secd_prog_1() at server/secd_rpc_server.cpp:806 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.103]  debug:  Setting thread context. VServerId = 6, Protocol = NONE, lifId = 0  { in setThreadContext() at utils/secd_thread_data_manager.cpp:172 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.121]  debug:  secd_rpc_map_name_1_svc called with vserverid = 6  { in secd_rpc_map_name_1_svc() at name_mapping/secd_rpc_map_name.cpp:50 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.168]  debug:  Attempting to map name ldap using the cluster mapping store  { in getAppropriateWindowsToUnixMapping() at name_mapping/secd_name_mapping.cpp:385 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.207]  debug:  IDS_FROM_USER_NAME ldapInfoType requested.
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402]   { in getLdapInfoFromName() at authorization/secd_ldap_unix_authorization.cpp:552 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.239]  debug:  Looking for LDAP (NIS & Name Mapping) cache (key: "") in vserver 6  { in getConnectionCache() at connection_manager/secd_connection_cache.cpp:450 } 000000ad.0000150a 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.255]  debug:  Looking for a connection to LDAP (NIS & Name Mapping)  { in getConnection() at connection_manager/secd_connection_manager.cpp:547 } 000000ad.0000150b 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.268]  debug:  Acquiring a new LDAP (NIS & Name Mapping) connection; favoring cache  { in getBestConnection() at connection_manager/secd_connection_manager.cpp:716 } Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.282]  debug:  Did not find an available connection in the cache  { in getBestCachedConnection() at connection_manager/secd_connection_cache.cpp:224 } 000000ad.0000150d 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.304]  debug:  Reserving a new LDAP (NIS & Name Mapping) server from discovery  { in getBestConnection() at connection_manager/secd_connection_manager.cpp:728 } 000000ad.0000150e 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.324]  debug:  Created service key: 00000006..LDAP_NIS_AND_NAME_MAPPING  { in makeServiceKey() at server_discovery/secd_service_list.cpp:150 } Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.356]  debug:  Discovery returned 10.61.70.5 (10.61.70.5)  { in getBestConnection() at connection_manager/secd_connection_manager.cpp:743 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.377]  debug:  Connecting to LDAP (NIS & Name Mapping) server 10.61.70.5  { in addStartConnectionJournal() at connection_manager/secd_connection_manager.cpp:462 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.652]  debug:  Successfully authenticated over LDAP with 10.61.70.5  { in connect<LdapConnectionState>() at connection_manager/secd_connection.cpp:971 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.688]  debug:  Connected to new LDAP (NIS & Name Mapping) service on 10.61.70.5  { in makeConnectionAttempt() at connection_manager/secd_connection_manager.cpp:846 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.929]  debug:  Searching LDAP for the "uidNumber, gidNumber" attribute(s) within base "CN=users,DC=domain,DC=com" (scope: -1) using filter: (&(objectClass=User)(sAMAccountName=ldap))  { in searchLdap() at utils/secd_ldap_utils.cpp:200 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.352]  ERR  :  1057 in searchLdap() at utils/secd_ldap_utils.cpp:215
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.386]  ERR  :  searchLdap: LDAP Error: (80): 'Internal (implementation specific) error':
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.399]  ERR  :  1057 in getLdapInfoFromName() at authorization/secd_ldap_unix_authorization.cpp:652
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.465]  debug:  Closing service handle; reporting status 1  { in ~SecdConnection() at ../bedrock/obj/x86_64/secd/../../../export/common/headers/include/secd/secd_connection.h:106 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.488]  ERR  :  1057 in getIdsFromUserName() at authorization/secd_ldap_unix_authorization.cpp:139
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.505]  warn :  Failed to get an ID for name ldap using UNIX authorization source LDAP, Error: 1057; ignoring; will try next source  { in handleNameAuthResult() at authorization/secd_unix_authorization.cpp:68 } 000000ad.0000151a 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.575]  debug:  SecD RPC Server sending reply to RPC 351: secd_rpc_map_name  { in secdSendRpcResponse() at server/secd_rpc_server.cpp:1093 }


名称映射跟踪传达以下信息:

  • LDAP名称映射失败以及正在尝试的用户
  • 用于映射用户的LDAP
  • 用于搜索的基础DN
  • 失败期间请求的属性
  • 使用的筛选器
  • 已联系LDAP服务器、并且连接是否正确
  • LDAP连接是否已缓存
  • 请求的Vserver ID

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.