secd.ldap.noServers:ONTAP 升级后由于受信任的 DC 发现而导致的紧急情况
适用于
- ONTAP 9.12.1P8 及更高版本
- ONTAP 9.13.1 及更高版本
- ONTAP 9.7P22
- SMB/CIFS
- 域信任
问题
- 将 ONTAP 升级到 CONTAP-79128: The default site is always used for trusted domain controller discovery in the CIFS discovery mode "site" 的修复版本后,EMS 每 4 小时为 CIFS SVM 记录日志:
[node1: secd: secd.ldap.noServers:EMERGENCY]: None of the LDAP servers configured for Vserver (SVM1) are currently accessible via the network for LDAP service type (Service: LDAP (Active Directory), Operation: SiteDiscovery).
[node1: secd: secd.ldap.trust.noServers:error]: None of the LDAP servers configured for SVM "SVM1" and trusted domain "TrustedDC" are currently accessible for LDAP service type "Service: LDAP (Active Directory), Operation: SiteDiscovery".
[node1: secd: secd.conn.auth.failure:notice]: Vserver (SVM1) could not make a connection over the network to server (ip <TrustedDC>, port 389). Error: Operation timed out (Service: LDAP (Active Directory), Operation: SiteDiscovery).
注:受信任域控制器的 EMS 条目。升级前,没有此类日志条目。
A Kerberos pre-authentication failure occurred for SVM "svm_ZUSCUPxxST1xx" due to invalid credentials for ZUxCUPDAXxxx$@TAAAXxx01.LOCAL
[node1: secd: secd.ldap.trust.noServers:error]: None of the LDAP servers configured for SVM "SVM1" and trusted domain "TrustedDC" are currently accessible for LDAP service type "Service: LDAP (Active Directory), Operation: SiteDiscovery".
- 受信任域的 MS-LDAP 发现的服务器不可用:
::> vserver cifs domain discovered-servers show -vserver <svm>
- 在继续解决方案之前,可以执行以下故障排除步骤
确保 SVM 与可信 DC 之间的通信:
- 到受信任 DC 的 LDAP 未被防火墙等阻止。
- DC 响应 LDAP 请求。
- 如果指定的受信任域不再存在:
- 无影响的外观错误
- 从 Active Directory 中删除任何已停用的域和信任关系以防止错误