由于配置问题描述、基于AD的LDAP服务器无法解析少数UNIX用户
适用场景
- ONTAP 9
- AD-LDAP
- NFS
问题描述
- 使用多协议访问(从NFS客户端访问NTFS卷)
- LDAP在ns-switch中配置为passwd源:
::>vserver services name-service ns-switch show -vserver svm1
Source
Vserver Database Order
--------------- ------------ ---------
svm1 hosts files,
dns
svm1 group ldap,
files
svm1 passwd ldap,
files
svm1 netgroup files
svm1 namemap files
5 entries were displayed.
- 名称映射对某些用户不起作用、而对其他用户则正常工作:
::*> diag secd authentication show-creds -node node1 -vserver svm1 -unix-user-name user1
Vserver: svm1 (internal ID: 5)
Error: Acquire UNIX credentials procedure failed
[ 17 ms] Entry for user-name: user1 not found in the current
source: FILES. Ignoring and trying next available source
[ 67] Using a cached connection to AD-LDAP-server.domain.com
**[ 1626] FAILURE: User 'user1' not found in UNIX authorization
** source LDAP.
[ 1626] Failed to get user info for name 'user1'
[ 1626] Entry for user-name: user1 not found in the current
source: LDAP. Entry for user-name: user1 not found in
any of the available sources
[ 1649] Unable to retrieve UID for UNIX user user1
Error: command failed: Failed to resolve user name to a UNIX ID. Reason: "SecD Error: object not found".
- 在LDAP中未找到UNIX用户:
::*>vserver services name-service getxxbyyy getpwbyname -vserver svm1 -username user1 -use-cache false -show-source true
Error: command failed: Failed to resolve user1. Reason: Entry not found for "username: user1".
- 名称映射显示正确:
::*> diag secd name-mapping show -node node1 -vserver svm1 -direction unix-win -name user1
'user1' maps to 'domain\user1'
- 在secd日志中、我们确认LDAP服务器在3秒后不响应查询和ONTAP超时:
0000001e.001f4944 00ae3758 Thu Apr 18 2024 10:20:12 +00:00 [kern_secd:info:10675] | [000.113.514] debug: Connected to new LDAP (NIS & Name Mapping) service on AD-LDAP-server.domain.com { in makeConnectionAttempt() at src/connection_manager/secd_connection_manager.cpp:1035 }
0000001e.001f4945 00ae3758 Thu Apr 18 2024 10:20:12 +00:00 [kern_secd:info:10675] | [000.114.245] debug: Searching LDAP for the "uid, uidNumber, gidNumber, unixUserPassword, name, unixHomeDirectory, loginShell" attribute(s) within base "DC=domain,DC=com" (scope: 2) using filter: (&(objectClass=User)(uid=user1)) { in searchLdap() at src/utils/secd_ldap_utils.cpp:323 }
0000001e.001f4946 00ae3758 Thu Apr 18 2024 10:20:12 +00:00 [kern_secd:info:10675] | [003.138.486] info : LDAP search for the "uid, uidNumber, gidNumber, unixUserPassword, name, unixHomeDirectory, loginShell" attribute(s) within base "DC=domain,DC=com" (scope: 2) using filter "(&(objectClass=User)(uid=user1))" failed with error: Timed out { in searchLdap() at src/utils/secd_ldap_utils.cpp:405 }
0000001e.001f4947 00ae3758 Thu Apr 18 2024 10:20:12 +00:00 [kern_secd:info:10675] | [003.138.516] ERR : RESULT_ERROR_LDAPSERVER_TIMEOUT:7646 in searchLdap() at src/utils/secd_ldap_utils.cpp:411
0000001e.001f4948 00ae3758 Thu Apr 18 2024 10:20:12 +00:00 [kern_secd:info:10675] | [003.138.537] ERR : searchLdap: LDAP Error: (-5): 'Timed out':