跳转到主内容

域用户无法使用域通道登录集群

Views:
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas<a>2009915067</a>
Last Updated:

适用场景

  • ONTAP 9
  • 域通道
  • Kerberos
  • ntlm
  • Active Directory (AD)

问题描述

  • EMS日志:无法对登录到Vserver的尝试进行身份验证
[?]  Sun Jan 21 19:47:13 -0700 [slc-prod-cluster2-01: mgwd: useradmin.added.deleted:info]: The user 'CORP\domain_account' has been deleted.
[?]  Sun Jan 21 19:47:58 -0700 [slc-prod-cluster2-01: mgwd: useradmin.added.deleted:info]: The user 'corp\domain_account' has been added.
[?]  Sun Jan 21 19:49:46 -0700 [slc-prod-cluster2-01: mgwd: security.invalid.login:alert]: Failed to authenticate login attempt to Vserver: slc-prod-cluster2, username: pii_encrypt/uK42fNcKIUsl+DKhHvT3Njwg+PLkEO0XU6BJiVqvRAziA2VSN4OfEysfBlitRjlb/pii_encrypt, application: ssh.
[?]  Sun Jan 21 19:49:50 -0700 [slc-prod-cluster2-01: sshd: sshd.auth.loginDenied:notice]: params: {'message': 'Failed keyboard-interactive / pam for CORP\\domain_account from IP port 51416 ssh2  '}
  • Mgwd日志:DC身份验证因0xC0000070而被拒绝(STATUS_invalid_workstation)
00000008.006bf6c5 024f5a46 Sun Jan 21 2024 19:49:46 -07:00 [kern_mgwd:info:3156] 0x820b91300: 0: ERR: PAM::DOMAIN: src/pam/pam_domain_auth.cc : pam_sm_authenticate : pam_domain_auth: Authentication rejected for user CORP\domain_account. DC Returned 0xc0000070
00000008.006bf6c7 024f5a46 Sun Jan 21 2024 19:49:46 -07:00 [kern_mgwd:info:3156] 0x820b91300: 0: ERR: PAM::DOMAIN: pam_sm_authenticate : Found PAM failed
00000008.006bf6c8 024f5a46 Sun Jan 21 2024 19:49:46 -07:00 [kern_mgwd:info:3156] Error: PAM failed to authenticate user 'cii_encrypt/uK42fNcKIUsl+DKhHvT3NmIwXnnNmYpu0QMG9M4CQZs=/cii_encrypt\pii_encrypt/uK42fNcKIUsl+DKhHvT3NhUzNLNZziKlhU6i1V3A8h0kJlpfAh55q6iccxbcrizu/pii_encrypt', application 'ssh', vserver 4294967295: Authentication failure
  • 无法启动Kerberos身份验证。然后尝试NTLM。
00000008.007c288b 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.132]  warn :  No matching EMS message for Kerberos error: KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP)  { in logEmsEventForKrbError() at src/utils/secd_ems_utils.cpp:338 }
00000008.007c288c 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.142]  info :  KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP)
00000008.007c288d 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.174]  ERR  :  RESULT_ERROR_SECLIB_GSSAPI_NO_SERVER_CREDS:7129 in start() at src/GssapiCtx.cpp:653
00000008.007c288e 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.180]  info :  Failed to initiate Kerberos authentication. Trying NTLM.
00000008.007c288f 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.010.084]  ERR  :  Encountered NT error (NT_STATUS_MORE_PROCESSING_REQUIRED) for SMB command SessionSetup  { in LogNtStatusCode() at src/Commands/Commands.cpp:589 }

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.