当Vserver使用不正确的LIF来 连接名称服务器(DNS/DC/LDAP)时、无法访问CIFS共享
适用场景
ONTAP 9.2-9.10
问题描述
- 在ONTAP升级或LIF迁移后、 无法使用Windows客户端的IP地址访问CIFS共享、并且在Vserver上DNS检查也会失败。
- SVM具有多个LIF (每个LIF位于不同网络上)、并且为两个LIF配置的默认路由具有相同的度量指标。
- 在SVM中存在的多个LIF中、仅允许一个LIF与网络中的DNS/LDAP/DC服务器进行通信。
- 事件日志指示连接到DNS和LDAP失败、并显示错误"Operational timed out "。
- 由于存储无法联系DNS来发现域控制器来对用户进行身份验证、因此CIFS身份验证失败。
- 日志
7/11/2022 10:20:26 node-02 ERROR secd.cifsAuth.problem: vserver (vserver1) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB1 Share mapping - Client Ip = 10.1.10.x
[ 0 ms] Login attempt by domain user 'Domain/user1' using NTLMv2 style security
[ 2003] TCP connection to ip 10.1.2.x, port 389 failed: Operation timed out.
[ 2003] LDAP search for the "dnsHostName" attribute(s) within base "" (scope: 0) using filter "(objectClass=*)" failed with error: Can't contact LDAP server
[ 4004] TCP connection to ip 10.1.2.x, port 389 failed: Operation timed out.
[ 4004] LDAP search for the "dnsHostName" attribute(s) within base "" (scope: 0) using filter "(objectClass=*)" failed with error: Can't contact LDAP server
[ 6005] TCP connection to ip 10.1.2.x, port 389 failed: Operation timed out.
[ 6005] LDAP search for the "dnsHostName" attribute(s) within base "" (scope: 0) using filter "(objectClass=*)" failed with error: Can't contact LDAP server
[ 8009] Failed to connect to 10.1.2.x for DNS via Source Address 10.1.1.x: Operation timed out
[ 9010] Failed to connect to 10.1.2.x for DNS via Source Address 10.1.1.x: Operation timed out
**[ 9012] FAILURE: Unable to contact DNS to discover domain controllers.
[ 9013] Unable to make a connection (NetLogon:DOMAIN.COM), result: 6812
[ 9015] CIFS authentication failed
[ 9015] Retry requested, but the retry window (7000 ms) has expired; giving up.