拒绝访问NTFS卷、因为AD帐户已锁定、禁用或过期
适用场景
- ONTAP 9
- CIFS/SMB
- NFS
- NTFS安全模式卷
问题描述
- 客户端无法与文件和文件夹进行交互
- 对于CIFS和NFS客户端、挂载可以正常工作、但访问NTFS上的文件和文件夹会失败、并会拒绝权限
- 对于NTFS sec模式的卷、在Linux客户端上挂载失败、并显示权限被拒绝错误。
linux:/axx/axn# mount -t cifs //10.xx.xc.xc/qtree$ -o file_mode=0774,dir_mode=0775,credentials=/home/txc/.sambapassword.cifs,uid=49x,gid=49x,vers=1 /axx/axn -vvv
mount: fstab path: "/etc/fstab"
mount: mtab path: "/etc/mtab"
mount: lock path: "/etc/mtab~"
mount: temp path: "/etc/mtab.tmp"
[...]
mount.cifs kernel mount options: ip=10.xx.xc.xc,unc=\\10.xx.xc.xc\qtree$,file_mode=0774,dir_mode=0775,credentials=/home/txc/.sambapassword.cifs,vers=1,uid=49x,gid=49x,ver=1,user=sxxxcccd,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
- 数据包跟踪可能会显示
NFS4ERR_WRONGSEC
或 Error:STATUS_ACCOUNT_LOCKED_OUT
- Active Directory用户帐户已锁定
示例:
::> set advanced
::*> vserver services access-check authentication show-creds -node node-01 -vserver svm -unix-user-name <root>
Vserver: sbm1 (internal ID: 40)
Error: Get user credentials procedure failed
[ 0 ms] Determined UNIX id 0 is UNIX user 'root'
[ 0] UNIX user 'root' mapped to Windows user 'DOMAIN\root'
[ 0] Using cached 'DOMAIN\root' SID mapping.
[ 11] Successfully connected to ip 10.20.40.80, port 88 using TCP
**[ 16] FAILURE: Could not get credentials via S4U2Self based on
** full Windows user name 'root@DOMAIN.LOCAL'. A 'root' or SID
'S-2-8-21-338539323-9078145449-725348543-25819'
Error: command failed: Failed to get user credentials. Reason: "Kerberos Error: Clients credentials have been revoked".
- EMS
示例:
Mar 09 23:21:08 -0800 [node-01: secd: secd.cifsAuth.problem:error]: vserver (test) General CIFS authentication problem. Error: User authentication procedure failed (Retries: 2) CIFS SMB2 Share mapping - Client Ip = 10.100.XXX.XXX
[ 3001] Attempt 1 FAILURE: Unexpected state: Error 6776 at file:src/FrameWork/Socket.cpp func:ReceiveDataOnSocket line:1233 [ 6015] Attempt 2 FAILURE: Pass-through authentication request failed.
[6016 ms] Login attempt by domain user 'AD\user' it could be a client issue or a cache credential issue in the client.
- SECD日志显示ONTAP计数未获取用户的凭据
示例:
.------------------------------------------------------------------------------.
[kern_secd:info:10210] | RPC FAILURE: |
[kern_secd:info:10210] | secd_rpc_auth_get_creds has failed |
[kern_secd:info:10210] | Result = 0, RPC Result = 7519 |
[kern_secd:info:10210] | RPC received at Mon xxxxxxxxxxxxxxxx |
[kern_secd:info:10210] |------------------------------------------------------------------------------'
[kern_secd:info:10210] Failure Summary:
[kern_secd:info:10210] Error: Get user credentials procedure failed
[kern_secd:info:10210] [ 1 ms] Determined UNIX id 8309 is UNIX user 'user1'
[kern_secd:info:10210] [ 218] UNIX user 'user1' mapped to Windows user 'domain\winuser'
[kern_secd:info:10210] [ 218] Using cached 'domain\winuser' SID mapping.
[kern_secd:info:10210] [ 221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP
[kern_secd:info:10210] **[ 225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.local'. Access denied.
[kern_secd:info:10210] [ 225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
...
[kern_secd:info:10210] | [000.009.096] ERR : RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:762
[kern_secd:info:10210] | [000.009.105] ERR : getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Clients credentials have been revoked)
[kern_secd:info:10210] | [000.011.467] ERR : Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.domain.COM'. Access denied. { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1211 }
[kern_secd:info:10210] | [000.011.475] ERR : RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1212
[kern_secd:info:10210] | [000.011.481] ERR : Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1240 }
[kern_secd:info:10210] | [000.011.486] ERR : RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1540
[kern_secd:info:10210] | [000.011.512] debug: SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
[kern_secd:info:10210] | [000.011.569] ERR : RESULT_ERROR_SECD_CIFS_CRED_LOOKUP_FAILED:6988 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:34
- 客户端端报告以下错误:
[LOGON] [15120] SamLogon: Network logon of (null)\user1 from (null) (via SVM) Returns 0xC0000234 User Name: user1 Vserver: SVM Cluster-Name: cluster01