从客户端向NTFS卷挂载NFSv4 Kerberos失败、并显示访问被拒绝错误
适用场景
- ONTAP 9
- Kerberos
- NFSv4
- NTFS卷
问题描述
- 使用Kerberos挂载NTFS卷时、NFSv4客户端访问被拒绝
- EMS显示
secd.nfsAuth.noCifsCredS4U2Self无法获取映射的Windows用户凭据的事件
1/15/2024 14:27:37 cluster1-01 ERROR secd.nfsAuth.noCifsCred: vserver (svm1) NFS authorization cannot retrieve CIFS credentials. Error: Get user credentials procedure failed [ 0 ms] Determined UNIX id 65534 is UNIX user 'pcuser' [ 12] UNIX user 'pcuser' mapped to Windows user 'ntap\nfsnobody' [ 12] Using cached 'ntap\nfsnobody' SID mapping. [ 15] Successfully connected to ip 10.10.10.110, port 88 using TCP**[ 17] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'nfsnobody@NTAP.LOCAL'. Access denied. [ 17] Could not get credentials for Windows user 'nfsnobody' or SID 'S-1-5-21-3506719826-1324006886-3270342602-1112'- 数据包跟踪显示NFS客户端
NFS4ERR_ACCESSACCESS在挂载期间接听呼叫。
- KRB-UNIX名称映射可显示计算机帐户、并将主机SPN映射到pcuser
clus9x::> vserver name-mapping show -vserver svm1 -direction krb-unix
Vserver: svm1
Direction: krb-unix
Position Hostname IP Address/Mask
-------- ---------------- ----------------
1 - - Pattern: (.+)\$@NTAP.LOCAL
Replacement: pcuser
2 - - Pattern: host/(.+)@NTAP.LOCAL
Replacement: pcuser
3 - - Pattern: (.+)@NTAP.LOCAL
Replacement: \1
3 entries were displayed.
- UNIX-win名称映射没有明确的规则