无法在不连续的命名空间中启用LDAP会话安全性

适用场景

问题描述

• SVM已加入非联合命名空间中的AD域
• 无法为Kerberos启用AES加密、因为密码重置失败：

::> vserver cifs security modify -vserver svm1 -is-aes-encryption-enabled true
Error: command failed: Password update failed. Reason: SecD Error: no server available.

• 在Vserver CIFS安全性中为客户端会话启用签名和/或密封后、AD-LDAP连接失败

cluster2::> vserver cifs security show -vserver svm1

Vserver: svm1

               Kerberos Clock Skew:           5 minutes
               Kerberos Ticket Age:          10 hours
              Kerberos Renewal Age:           7 days
              Kerberos KDC Timeout:           3 seconds
               Is Signing Required:         false
         Is Password Complexity Required:         true
      Use start_tls for AD LDAP connection:         false
     (DEPRECATED)-Is AES Encryption Enabled:         true
             LM Compatibility Level:  lm-ntlm-ntlmv2-krb
           Is SMB Encryption Required:         false
            Client Session Security:         sign
  (DEPRECATED)-SMB1 Enabled for DC Connections:         false
         SMB2 Enabled for DC Connections:    system-default
  LDAP Referral Enabled For AD LDAP connections:         false
        Use LDAPS for AD LDAP connection:         false
    Encryption is required for DC Connections:         false
  AES session key enabled for NetLogon channel:         false
   Try Channel Binding For AD LDAP Connections:         true
     Encryption Types Advertised to Kerberos:
                      aes-256, aes-128, rc4, des

• EMS日志将包含 secd.conn.auth.failure 错误
• SecD日志可能包含以下条目：

Rcode received from the DNS server(10.11.12.13): 0 when querying 14.12.11.10.in-addr.arpa
Getting credentials SVM1$@SUB.DOMAIN.COM -> ldap/ad1.domain.com@
Retrying SVM1$@SUB.DOMAIN.COM -> ldap/ad1.domain.com@SUB.DOMAIN.COM with result: -1765328243/Matching credential not found
TGS request result: -1765328377/Server not found in Kerberos database
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)