跳转到主内容

修改 CIFS 服务器的 AES 加密失败,出现 Kerberos 错误:KDC 不支持加密类型

  1. 最后更新
  2. 另存为PDF
Views:
95
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

适用于

  • ONTAP 9
  • Cloud Volume ONTAP (CVO)
  • CIFS

问题

  • 尝试禁用 AES 时:
::> vserver cifs security modify -vserver vs1 -is-aes-encryption-enabled false
Info: In order to disable CIFS AES encryption, the password for the CIFS server machine account must be reset. Enter the
username and password for the CIFS domain "NASLAB.LOCAL".
Enter your user ID: administrator
Enter your password:
Error: command failed: Password update failed. Reason: Kerberos Error: KDC has no support for encryption type.
 
  • SECD 日志:
    • 修改 AES 安全选项时,SVM 在 AD 中更改其计算机帐户密码。
    • SECD 日志显示与 AD-LDAP 的 TCP 连接失败,因此 LDAP 绑定失败。
    • 由于 LDAP 绑定失败,SVM 无法更新 CIFS 服务器的 msDS-SupportedEncryptionTypes。
    • 修改 CIFS 安全 "is-aes-encryption-enabled" 失败,因为 RPC 调用失败。 
.-----------------------------------------------------------------------------.
|                  RPC FAILURE:                  |
|           secd_rpc_ad_reset_password has failed  |
|             Result = 0, RPC Result = 6942          |
|           RPC received at Mon Sep 21 06:33:28 2020|
|-----------------------------------------------------------------------------'
Failure Summary:
Error: CIFS server password reset procedure failed
  ...
  [  2286] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
  [  4344] TCP connection to ip 10.aa.bb.10, port 389 via interface 10.aa.cc.dd failed: Operation timed out.
  [  4344] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server
  [  4344] Unable to connect to LDAP (Active Directory) service on dc1.naslab.local (Error: Can't contact LDAP server)
  [  4348] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
  [  4491] Could not authenticate as 'VS1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)
  [  4494] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
  [  6544] TCP connection to ip 10.aa.bb.11, port 389 via interface 10.aa.cc.dd failed: Operation timed out.
  [  6544] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server
  [  6544] Unable to connect to LDAP (Active Directory) service on dc2.naslab.local (Error: Can't contact LDAP server)
  [  6547] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
  [  6732] Could not authenticate as 'VS1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)
  [  6735] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
  [  8803] TCP connection to ip 10.aa.bb.3, port 389 via interface 10.aa.cc.dd failed: Operation timed out.
  [  8803] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server
  [  8803] Unable to connect to LDAP (Active Directory) service on dc3.naslab.local (Error: Can't contact LDAP server)
  [  8803] Unable to make a connection (LDAP (Active Directory):SF.PRIV), result: 6942
  [  8803] Retry requested, but the retry window (7000 ms) has expired; giving up.
 
  • 命令 vserver  cifs domain discovered-servers  show -vserver  vs1 将 MS-LDAP 显示为 Unavailable 或 Unreachable

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.