跳转到主内容

修改CIFS服务器的AES加密失败、并显示Kerberos错误:KDC不支持加密类型

  1. 最后更新
  2. 另存为PDF
Views:
44
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas<a>2008455847</a>
Last Updated:

适用场景

  • ONTAP 9
  • Cloud Volume ONTAP (CVO)
  • CIFS

问题描述

  • 尝试禁用AES时:
::> vserver cifs security modify -vserver vs1 -is-aes-encryption-enabled false
Info: In order to disable CIFS AES encryption, the password for the CIFS server machine account must be reset. Enter the
username and password for the CIFS domain "NASLAB.LOCAL".
Enter your user ID: administrator
Enter your password:
Error: command failed: Password update failed. Reason: Kerberos Error: KDC has no support for encryption type.
 
  • SECD日志:
    • 修改AES安全选项后、SVM会在AD中更改其计算机帐户密码。
    • SECD日志显示与AD-LDAP的TCP连接失败、因此LDAP绑定失败。
    • 由于LDAP绑定失败,SVM无法更新CIFS服务器的SDS-Supported加密 类型。
    • 由于RPC调用失败、修改CIFS安全性"is-aes-加密-enabled "失败。
.-----------------------------------------------------------------------------.
|                  RPC FAILURE:                  |
|           secd_rpc_ad_reset_password has failed  |
|             Result = 0, RPC Result = 6942          |
|           RPC received at Mon Sep 21 06:33:28 2020|
|-----------------------------------------------------------------------------'
Failure Summary:
Error: CIFS server password reset procedure failed
  ...
  [  2286] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
  [  4344] TCP connection to ip 10.aa.bb.10, port 389 via interface 10.aa.cc.dd failed: Operation timed out.
  [  4344] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server
  [  4344] Unable to connect to LDAP (Active Directory) service on dc1.naslab.local (Error: Can't contact LDAP server)
  [  4348] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
  [  4491] Could not authenticate as 'VS1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)
  [  4494] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
  [  6544] TCP connection to ip 10.aa.bb.11, port 389 via interface 10.aa.cc.dd failed: Operation timed out.
  [  6544] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server
  [  6544] Unable to connect to LDAP (Active Directory) service on dc2.naslab.local (Error: Can't contact LDAP server)
  [  6547] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
  [  6732] Could not authenticate as 'VS1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)
  [  6735] Successfully connected to ip 10.xx.yy.2, port 88 using TCP
  [  8803] TCP connection to ip 10.aa.bb.3, port 389 via interface 10.aa.cc.dd failed: Operation timed out.
  [  8803] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server
  [  8803] Unable to connect to LDAP (Active Directory) service on dc3.naslab.local (Error: Can't contact LDAP server)
  [  8803] Unable to make a connection (LDAP (Active Directory):SF.PRIV), result: 6942
  [  8803] Retry requested, but the retry window (7000 ms) has expired; giving up.
 
  • 命令 vserver  cifs domain discovered-servers  show -vserver  vs1 将 MS-LDAP显示为 Unavailable 或 Unreachable

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.