域用户无法使用域通道登录集群

最后更新
另存为PDF

Views:

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas<a>2009915067</a>

Last Updated:

适用场景

ONTAP 9
域通道
Kerberos
ntlm
Active Directory (AD)

问题描述

EMS日志：无法对登录到Vserver的尝试进行身份验证

[?]  Sun Jan 21 19:47:13 -0700 [slc-prod-cluster2-01: mgwd: useradmin.added.deleted:info]: The user 'CORP\domain_account' has been deleted.

[?]  Sun Jan 21 19:47:58 -0700 [slc-prod-cluster2-01: mgwd: useradmin.added.deleted:info]: The user 'corp\domain_account' has been added.

[?]  Sun Jan 21 19:49:46 -0700 [slc-prod-cluster2-01: mgwd: security.invalid.login:alert]: Failed to authenticate login attempt to Vserver: slc-prod-cluster2, username: pii_encrypt/uK42fNcKIUsl+DKhHvT3Njwg+PLkEO0XU6BJiVqvRAziA2VSN4OfEysfBlitRjlb/pii_encrypt, application: ssh.

[?]  Sun Jan 21 19:49:50 -0700 [slc-prod-cluster2-01: sshd: sshd.auth.loginDenied:notice]: params: {'message': 'Failed keyboard-interactive / pam for CORP\\domain_account from IP port 51416 ssh2  '}

Mgwd日志：DC身份验证因0xC0000070而被拒绝(STATUS_invalid_workstation)

00000008.006bf6c5 024f5a46 Sun Jan 21 2024 19:49:46 -07:00 [kern_mgwd:info:3156] 0x820b91300: 0: ERR: PAM::DOMAIN: src/pam/pam_domain_auth.cc : pam_sm_authenticate : pam_domain_auth: Authentication rejected for user CORP\domain_account. DC Returned 0xc0000070

00000008.006bf6c7 024f5a46 Sun Jan 21 2024 19:49:46 -07:00 [kern_mgwd:info:3156] 0x820b91300: 0: ERR: PAM::DOMAIN: pam_sm_authenticate : Found PAM failed

00000008.006bf6c8 024f5a46 Sun Jan 21 2024 19:49:46 -07:00 [kern_mgwd:info:3156] Error: PAM failed to authenticate user 'cii_encrypt/uK42fNcKIUsl+DKhHvT3NmIwXnnNmYpu0QMG9M4CQZs=/cii_encrypt\pii_encrypt/uK42fNcKIUsl+DKhHvT3NhUzNLNZziKlhU6i1V3A8h0kJlpfAh55q6iccxbcrizu/pii_encrypt', application 'ssh', vserver 4294967295: Authentication failure

无法启动Kerberos身份验证。然后尝试NTLM。

00000008.007c288b 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.132]  warn :  No matching EMS message for Kerberos error: KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP)  { in logEmsEventForKrbError() at src/utils/secd_ems_utils.cpp:338 }

00000008.007c288c 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.142]  info :  KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP)

00000008.007c288d 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.174]  ERR  :  RESULT_ERROR_SECLIB_GSSAPI_NO_SERVER_CREDS:7129 in start() at src/GssapiCtx.cpp:653

00000008.007c288e 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.180]  info :  Failed to initiate Kerberos authentication. Trying NTLM.

00000008.007c288f 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.010.084]  ERR  :  Encountered NT error (NT_STATUS_MORE_PROCESSING_REQUIRED) for SMB command SessionSetup  { in LogNtStatusCode() at src/Commands/Commands.cpp:589 }