在 SVM 上启用 AES 加密后，CIFS 访问丢失

• ONTAP 9
• CIFS
• 高级加密标准(Advanced Encryption Standard、AES)

• 使用命令 -is-aes-encryption-enabled cifs security modify 启用后，SVM 的 CIFS 访问丢失
• 任何更改 SVM 机器帐户密码的尝试都将失败，并出现以下错误：

ontap95::> vserver cifs password-change -vserver <SVM>
Error: command failed: Password update failed. Reason: Kerberos Error: Invalid credentials were given.

• 任何尝试禁用 -is-aes-encryption-enabled 都将失败，并出现以下错误：

ontap95::> vserver cifs security modify -vserver <SVM> -is-aes-encryption-enabled false
Info: In order to disable CIFS AES encryption, the password for the CIFS server machine account must be reset. Enter the username and password for the CIFS domain "DOMAIN.LOCAL".
Enter your user ID: test123
Enter your password:
Error: command failed: Password update failed. Reason: SecD Error: no server available.

• Secd log 将显示以下故障

[kern_secd:info:12647] .------------------------------------------------------------------------------.
[kern_secd:info:12647] | RPC FAILURE: |
[kern_secd:info:12647] | secd_rpc_ad_change_password has failed |
[kern_secd:info:12647] | Result = 0, RPC Result = 7525 |
[kern_secd:info:12647] | RPC received at Tue Sep 8 17:58:24 2020 |
[kern_secd:info:12647] |------------------------------------------------------------------------------'
[kern_secd:info:12647] Failure Summary:
[kern_secd:info:12647] Error: CIFS server password change procedure failed
[kern_secd:info:12647] [ 1 ms] Successfully connected to ip 10.216.36.39, port 88 using TCP
[kern_secd:info:12647] [ 2] Successfully connected to ip 10.216.36.39, port 88 using TCP
[kern_secd:info:12647] **[ 5] FAILURE: CIFS server could not authenticate as 'CIFS95$@DOMAIN.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)