Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

Events for secd.nfsAuth.problem due to STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c)

Views:
1,777
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nfs
Last Updated:

Applies to

  • ONTAP 9
  • Active Directory Domains and Trusts

Issue

  • Events are logged for NFS authorization problems (secd.nfsAuth.problem) when attempting UNIX to Windows name mapping due to the transient error
  • Further investigation of the SECD log shows the Domain Controller returning STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c), resulting in the transient condition
  • Sample EMS event:
Wed Aug 19 10:55:48 -0400 [CLUSTER-01: secd: secd.nfsAuth.problem:error]: vserver (SVM1) General NFS authorization problem. Error: Get user credentials procedure failed 
  [  0 ms] Determined UNIX id 0 is UNIX user 'root'
  [     0] Trying to map 'root' to Windows user 'root' using implicit mapping
  [     1] Using a cached connection to dc01.domain.local
  [    11] Encountered unknown NT Error (0x103) for SMB command Read
  [   668] Could not find Windows name 'root'
**[   668] FAILURE: Name mapping for UNIX user 'root' failed with transient errors.
  • Sample from SECD:
.------------------------------------------------------------------------------.
|                                 RPC FAILURE:                                 |
|                      secd_rpc_auth_get_creds has failed                      |
|                        Result = 0, RPC Result = 7037                         |
|                   RPC received at Wed Aug 19 10:55:48 2020                   |
|------------------------------------------------------------------------------'
Failure Summary:
Error: Get user credentials procedure failed
  [  0 ms] Determined UNIX id 0 is UNIX user 'root'
  [     0] Trying to map 'root' to Windows user 'root' using implicit mapping
  [     7] Using a cached connection to dc01.domain.local
  [    15] Encountered unknown NT Error (0x103) for SMB command Read
  [   259] Could not find Windows name 'root'
**[   259] FAILURE: Name mapping for UNIX user 'root' failed with transient errors.
Details:
| [000.000.013]  debug:  Worker Thread 34507218176 processing RPC 153:secd_rpc_auth_get_creds with request ID:8559 which sat in the queue for 0 seconds.  { in run() at src/server/secd_rpc_server.cpp:2306 }
| [000.000.025]  debug:  Client IP as found in the request: 10.1.2.100  { in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1443 }
| [000.000.036]  debug:  Setting thread context. VServerId = 3 (name='SVM1'), Protocol = CIFS, lifId = 0  { in setThreadContext() at src/utils/secd_thread_data_manager.cpp:415 }
| [000.000.043]  debug:  secd_rpc_auth_get_creds_1_svc called with vserverid = 3  { in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1448 }
| [000.000.048]  debug:  Getting creds for VserverId: 3  { in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1450 }
| [000.000.054]  debug:  Get creds for UserId= 0  { in getCredsFromUserIdViaLibc() at src/authorization/secd_unix_authorization.cpp:114 }
| [000.000.321]  debug:  Mcached lookup return values for user, group and group membership are 0, 0, 0  { in _getUserInfo() at src/authorization/secd_unix_authorization.cpp:717 }
| [000.000.327]  debug:  All the details found in cache  { in _getUserInfo() at src/authorization/secd_unix_authorization.cpp:720 }
| [000.000.338]  info :  Determined UNIX id 0 is UNIX user 'root' { in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1488 }
| [000.000.351]  debug:  Attempting to map name root using the cluster mapping store  { in getAppropriateUnixToWindowsMapping() at src/name_mapping/secd_name_mapping.cpp:897 }
| [000.000.357]  info :  Trying to map 'root' to Windows user 'root' using implicit mapping { in getAppropriateUnixToWindowsMapping() at src/name_mapping/secd_name_mapping.cpp:1011 }
| [000.000.374]  debug:  No Domain part in the given Name. root can correspond to a Special NfsV4 sid.  { in handleNfsV4NameToSid() at src/authorization/secd_cifs_authorization.cpp:430 }
| [000.000.379]  debug:  root doesn't correspond to a Special NfsV4 Sid.   { in handleNfsV4NameToSid() at src/authorization/secd_cifs_authorization.cpp:441 }
| [000.000.384]  ERR  :  RESULT_ERROR_SECD_ENTRY_NOT_FOUND:6915 in handleNfsV4NameToSid() at src/authorization/secd_cifs_authorization.cpp:442
| [000.000.421]  debug:  Not an NfsV4 name  { in handleNfsV4NameToSid() at src/authorization/secd_cifs_authorization.cpp:489 }
| [000.000.428]  ERR  :  RESULT_ERROR_SECD_ENTRY_NOT_FOUND:6915 in handleNfsV4NameToSid() at src/authorization/secd_cifs_authorization.cpp:490
| [000.000.433]  debug:  Not an NFSv4 regular name.  { in getSidFromName() at src/authorization/secd_cifs_authorization.cpp:291 }
| [000.000.447]  debug:  Looking for LSA cache (key: "domain.local") in vserver 3  { in getConnectionCache() at src/connection_manager/secd_connection_cache.cpp:642 }
| [000.000.495]  debug:  Looking for a connection to LSA for DOMAIN.LOCAL  { in getConnection() at src/connection_manager/secd_connection_manager.cpp:606 }
| [000.000.500]  debug:  Acquiring a new LSA connection; favoring cache  { in getBestConnection() at src/connection_manager/secd_connection_manager.cpp:808 }
| [000.000.523]  debug:  Looking up SID for Everyone  { in lookupName() at src/utils/secd_cifs_utils.cpp:310 }
| [000.000.537]  debug:  Calling LsaLookupNames2...  { in lookupName() at src/utils/secd_cifs_utils.cpp:326 }
| [000.007.029]  debug:  LsaLookupNames2 returned NtStatus code: 0x0  { in lookupName() at src/utils/secd_cifs_utils.cpp:346 }
| [000.007.036]  debug:  Found an available connection in the cache  { in getBestCachedConnection() at src/connection_manager/secd_connection_cache.cpp:352 }
| [000.007.045]  info :  Using a cached connection to dc01.domain.local { in getBestConnection() at src/connection_manager/secd_connection_manager.cpp:916 }
| [000.007.090]  debug:  Looking up SID for root  { in lookupName() at src/utils/secd_cifs_utils.cpp:310 }
| [000.007.104]  debug:  Calling LsaLookupNames2...  { in lookupName() at src/utils/secd_cifs_utils.cpp:326 }
| [000.015.494]  ERR  :  Encountered unknown NT Error (0x103) for SMB command Read  { in LogNtStatusCode() at src/Commands/Commands.cpp:648 }
| [000.015.502]  ERR  :  SMB2 response has NT error 0x103  { in ParseSmb2HeaderResponse() at src/Smb2/Smb2Utils.cpp:478 }
| [000.015.506]  debug:  SIGNING: The response from the DC is async. NOTE: async responses are not signed.  { in ParseSmb2HeaderResponse() at src/Smb2/Smb2Utils.cpp:517 }
| [000.015.511]  info :  Async Read response received  { in Smb2Read() at src/Smb2/Smb2Read.cpp:281 }
| [000.259.769]  debug:  LsaLookupNames2 returned NtStatus code: 0xc000018c  { in lookupName() at src/utils/secd_cifs_utils.cpp:346 }
| [000.259.775]  debug:  LSA returned NT status 0xC000018C, which was converted to result 3  { in convertLsaErrorToResult() at src/include/secd_connection_utils.h:44 }
| [000.259.783]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in lookupName() at src/utils/secd_cifs_utils.cpp:422
| [000.259.792]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in getSidFromName() at src/authorization/secd_cifs_authorization.cpp:325
| [000.259.800]  info :  Could not find Windows name 'root' { in getSidFromName() at src/authorization/secd_cifs_authorization.cpp:354 }
| [000.259.849]  ERR  :  Name mapping for UNIX user 'root' failed with transient errors. { in mapUnknownUnixNameToDefaultWindowsUser() at src/name_mapping/secd_name_mapping.cpp:1375 }
| [000.259.853]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in mapUnknownUnixNameToDefaultWindowsUser() at src/name_mapping/secd_name_mapping.cpp:1376
| [000.259.859]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in mapNameUnixToWindows() at src/name_mapping/secd_name_mapping.cpp:1549
| [000.259.865]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in mapName() at src/name_mapping/secd_name_mapping.cpp:1617
| [000.259.872]  ERR  :  RESULT_ERROR_SECD_TRANSIENT_MAPPING_FAILURE:7037 in mapName() at src/name_mapping/secd_name_mapping.cpp:1630
| [000.259.879]  ERR  :  RESULT_ERROR_SECD_TRANSIENT_MAPPING_FAILURE:7037 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1511
| [000.259.905]  debug:  SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
| [000.259.957]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348
|------------------------------------------------------------------------------.
|                  RPC completed at Wed Aug 19 10:55:48 2020                   |
|              End of log for failed RPC secd_rpc_auth_get_creds               |
'------------------------------------------------------------------------------'
Scan to view the article on your device
CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support

 

  • Was this article helpful?