跳转到主内容

由于配置问题描述、基于AD的LDAP服务器无法解析少数UNIX用户

Views:
1
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas<a>2010006807</a>
Last Updated:

适用场景

  • ONTAP 9
  • AD-LDAP
  • NFS

问题描述

  • 使用多协议访问(从NFS客户端访问NTFS卷)
  • LDAP在ns-switch中配置为passwd源:
::>vserver services name-service ns-switch show -vserver svm1
                Source
Vserver     Database    Order
--------------- ------------  ---------
svm1      hosts      files,
                dns
svm1      group      ldap,
                files
svm1      passwd     ldap,
                files
svm1      netgroup    files
svm1      namemap     files
5 entries were displayed.
  • 名称映射对某些用户不起作用、而对其他用户则正常工作:
::*> diag secd authentication show-creds -node node1 -vserver svm1 -unix-user-name user1
Vserver: svm1 (internal ID: 5)
Error: Acquire UNIX credentials procedure failed
  [ 17 ms] Entry for user-name: user1 not found in the current
      source: FILES. Ignoring and trying next available source
  [   67] Using a cached connection to AD-LDAP-server.domain.com
**[  1626] FAILURE: User 'user1' not found in UNIX authorization
**     source LDAP.
  [  1626] Failed to get user info for name 'user1'
  [  1626] Entry for user-name: user1 not found in the current
      source: LDAP. Entry for user-name: user1 not found in
      any of the available sources
  [  1649] Unable to retrieve UID for UNIX user user1
Error: command failed: Failed to resolve user name to a UNIX ID. Reason: "SecD Error: object not found".
  • 在LDAP中未找到UNIX用户:
::*>vserver services name-service getxxbyyy getpwbyname -vserver svm1 -username user1 -use-cache false -show-source true
Error: command failed: Failed to resolve user1. Reason: Entry not found for "username: user1".
  • 名称映射显示正确:

::*> diag secd name-mapping show -node node1 -vserver svm1 -direction unix-win -name user1
'user1' maps to 'domain\user1'

  • 在secd日志中、我们确认LDAP服务器在3秒后不响应查询和ONTAP超时:

0000001e.001f4944 00ae3758 Thu Apr 18 2024 10:20:12 +00:00 [kern_secd:info:10675] | [000.113.514]  debug:  Connected to new LDAP (NIS & Name Mapping) service on AD-LDAP-server.domain.com  { in makeConnectionAttempt() at src/connection_manager/secd_connection_manager.cpp:1035 }
0000001e.001f4945 00ae3758 Thu Apr 18 2024 10:20:12 +00:00 [kern_secd:info:10675] | [000.114.245]  debug:  Searching LDAP for the "uid, uidNumber, gidNumber, unixUserPassword, name, unixHomeDirectory, loginShell" attribute(s) within base "DC=domain,DC=com" (scope: 2) using filter: (&(objectClass=User)(uid=user1))  { in searchLdap() at src/utils/secd_ldap_utils.cpp:323 }
0000001e.001f4946 00ae3758 Thu Apr 18 2024 10:20:12 +00:00 [kern_secd:info:10675] | [003.138.486]  info :  LDAP search for the "uid, uidNumber, gidNumber, unixUserPassword, name, unixHomeDirectory, loginShell" attribute(s) within base "DC=domain,DC=com" (scope: 2) using filter "(&(objectClass=User)(uid=user1))" failed with error: Timed out { in searchLdap() at src/utils/secd_ldap_utils.cpp:405 }
0000001e.001f4947 00ae3758 Thu Apr 18 2024 10:20:12 +00:00 [kern_secd:info:10675] | [003.138.516]  ERR  :  RESULT_ERROR_LDAPSERVER_TIMEOUT:7646 in searchLdap() at src/utils/secd_ldap_utils.cpp:411
0000001e.001f4948 00ae3758 Thu Apr 18 2024 10:20:12 +00:00 [kern_secd:info:10675] | [003.138.537]  ERR  :  searchLdap: LDAP Error: (-5): 'Timed out':

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.