使用CIFS服务器的受信任域中的用户通过SSH连接到集群命令行界面失败
适用场景
- ONTAP 9
- CIFS域通道
- SSH
问题描述
- CIFS服务器属于NASLAB.local域
::> cifs show -instance
Vserver: vs1
CIFS Server NetBIOS Name: VS1
NetBIOS Domain/Workgroup Name: NASLAB
Fully Qualified Domain Name: NASLAB.LOCAL
Organizational Unit: CN=Computers
Authentication Style: domain
CIFS Server Administrative Status: up
- 域通道是使用SVM vs1创建的
::> security login domain-tunnel show
Tunnel Vserver: vs1
- 受信任域(BLRlB)中的用户无法通过SSH连接到集群命令行界面。
- 从受信任域提取用户的创建失败
::> set adv
Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.
Do you want to continue? {y|n}: y
::*> vserver services access-check authentication show-creds -node node1 -vserver vs1 -win-name blrlab\user1
Vserver: vs1 (internal ID: 6)
Error: Get user credentials procedure failed
...
(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
[ 5725] Failed to initiate Kerberos authentication. Trying NTLM.
[ 7726] TCP connection to ip 10.1.1.1, port 389 failed:
Operation timed out.
[ 10032] TCP connection to ip 10.2.2.2, port 389 failed:
Operation timed out.
[ 12439] TCP connection to ip 10.3.3.3, port 389 failed:
Operation timed out.
[ 15005] TCP connection to ip 10.4.4.4, port 389 failed:
Operation timed out.
**[ 15006] FAILURE: Unable to make a connection (LDAP (Active
** Directory):blrlab.local), result: 6942
[ 15006] Could not get credentials via LDAP for Windows user
'435970-a' based on SID
'S-1-5-21-2573208799-187067640-1722879566-575467'
[ 15006] Could not get credentials for Windows user 'user1' or
'435970-a' based on SID
'S-1-5-21-2573208799-187067640-1722879566-575467'
[ 15006] Could not get credentials for Windows user 'user1' or
SID 'S-1-5-21-2573208799-187067640-1722879566-575467'
注意: 来自同一域(NASL)的用户可以通过SSH连接到集群命令行界面、而不会出现任何问题。