修改CIFS服务器的AES加密时出现"SecD错误：无可用服务器"、因为缺少PTR记录

最后更新
另存为PDF

Views:: 79

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

适用场景

ONTAP 9.7
CIFS

问题描述

尝试从安全选项卡修改或添加权限时、Windows SMB客户端收到以下错误。

“The program cannot open the required dialog box because it cannot determine whether the computer named “cifs -server” is joined to a domain. Close this message, and try again.”

创建新CIFS服务器也失败。
将is-aes-encryption-enabled 设置为false 失败

::> cifs security modify -vserver svm1 -is-aes-encryption-enabled false Info: In order to disable CIFS AES encryption, the password for the CIFS server machine account must be reset. Enter the username and password for the CIFS domain "NASLAB.LOCAL". Enter your user ID: administrator Enter your password: Error: command failed: Password update failed. Reason: SecD Error: no server available.

秒：

.------------------------------------------------------------------------------. | RPC FAILURE: | | secd_rpc_ad_get_dc_info has failed | | Result = 0, RPC Result = 6940 | | RPC received at Thu Sep 24 13:42:26 2020 | |------------------------------------------------------------------------------' Failure Summary: Error: Get DC Info procedure failed [ 0 ms] No servers available for MS_LDAP_AD, vserver: 2, domain: naslab.local. [ 2] Successfully connected to ip 10.xx.yy.191, port 389 using TCP [ 4] Successfully connected to ip 10.xx.yy.191, port 88 using TCP [ 20] Successfully connected to ip 10.xx.yy.191, port 389 using TCP [ 21] Entry for host-address: 10.xx.yy.191 not found in the current source: FILES. Ignoring and trying next available source [ 22] Source: DNS unavailable. Entry for host-address:10.xx.yy.191 not found in any of the available sources **[ 22] FAILURE: Unable to SASL bind to LDAP server using GSSAPI: Local error [ 22] Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot determine realm for numeric host address) [ 23] Successfully connected to ip 10.xx.yy.191, port 88 using TCP [ 57] Could not authenticate as 'SVM1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED) [ 57] Unable to connect to LDAP (Active Directory) service on win-aesid9bf636.naslab.local (Error: Local error) [ 57] No servers available for MS_LDAP_AD, vserver: 2, domain: naslab.local. [ 57] Unable to make a connection (LDAP (Active Directory):NASLAB.LOCAL), result: 6940

EMS：

cluster-01 DEBUG secd.unexpectedFailure: vserver (svm1) Unexpected failure. Error: CIFS server password change procedure failed [ 2 ms] Successfully connected to ip 10.xx.yy.191, port 88 using TCP [ 4] Successfully connected to ip 10.xx.yy.191, port 88 using TCP **[ 6] FAILURE: CIFS server could not authenticate as 'SVM1$@NASLAB.LOCAL': Generic preauthentication failure (KRB5_PREAUTH_FAILED)

8/7/2024 15:58:01 node01 ERROR secd.unexpectedFailure: Unexpected SecD failure in Vserver "PINTAIL3_dest". Details: Error: Get DC Info procedure failed CIFS Domain Query via LSAR_DS_ROLE_GET_DOMAIN_INFO - Client Ip = 10.2xx.xc.xc User = xcx\Sebxcvcc [ 2089] Successfully connected to ip 10.10.2xx.xx, port 88 using TCP [ 2107] Successfully connected to ip 10.1x2xx.1xx, port 389 using TCP [ 2108] Source: DNS unavailable. Ignoring and trying next available source for host-address: 10.10.2xx.1xx [ 2108] Entry for host-address: 10.10.2xx.1xx not found in the current source: FILES. Entry for host-address: 10.10.2xx.1xx not found in any of the available sources

AD-LDAP 连接设置为使用sign (客户端会话安全性)

::> cifs security show -vserver svm1 -fields session-security-for-ad-ldap vserver session-security-for-ad-ldap --------- ---------------------------- svm1 sign

AD-LDAP (首选DC)连接为 unavailable/undetermined

::> vserver cifs domain discovered-servers show Node: cluster-01 Vserver: svm1 Domain Name Type Preference DC-Name DC-Address Status --------------- -------- ---------- --------------- --------------- --------- naslab.local KERBEROS preferred win-aesid9bf636 10.xx.yy.191 undetermined naslab.local MS-LDAP preferred win-aesid9bf636 10.xx.yy.191 unavailable naslab.local MS-DC preferred win-aesid9bf636 10.xx.yy.191 OK

发现模式已设置为无(仅使用首选DC)

::> set adv ::*> vserver cifs domain discovered-servers discovery-mode show -vserver svm1 Vserver: svm1 Server Discovery Mode: none

获取数据中心信息失败

::> set adv ::*> vserver services access-check authentication get-dc-info -vserver svm1 Error: command failed: RPC call to SecD failed. RPC: "SecD Error: no server available". Reason: "".

DC反向查找失败

::> set adv ::*> vserver services name-service getxxbyyy gethostbyaddr -vserver svm1 -ipaddress 10.xx.yy.191 Error: command failed: Failed to resolve 10.xx.yy.191. Reason: Unknown host.

跟踪显示DNS响应 No such name

57 05:24:18.155 0.001194000 10.xx.yy.18 10.xx.yy.191 30946,53 DNS Standard query 0x86d9 PTR 191.yy.xx.10.in-addr.arpa 58 05:24:18.157 0.001903000 10.xx.yy.191 10.xx.yy.18 53,30946 DNS Standard query response 0x86d9 No such name PTR 191.yy.xx.10.in-addr.arpa SOA dc91.naslab.local

session-security-for-ad-ldap 用于密封/签名