Denied access to NTFS volume because AD Account is locked or disabled or expired

Applies to

• ONTAP 9
• CIFS/SMB
• NFS
• NTFS security style volume

Issue

• Clients are not able to interact with file and folders 
  • mount can work for CIFS and NFS clients, but accessing files and folders on ntfs fails with permission denied
  • Packet trace might show NFS4ERR_WRONGSEC
• Active Directory user account is locked

Example:

::> set advanced
::*> vserver services access-check authentication show-creds -node node-01 -vserver svm -unix-user-name <root>

Vserver: sbm1 (internal ID: 40)

Error: Get user credentials procedure failed
[ 0 ms] Determined UNIX id 0 is UNIX user 'root'
[ 0] UNIX user 'root' mapped to Windows user 'DOMAIN\root'
[ 0] Using cached 'DOMAIN\root' SID mapping.
[ 11] Successfully connected to ip 10.20.40.80, port 88 using TCP
**[ 16] FAILURE: Could not get credentials via S4U2Self based on
** full Windows user name 'root@DOMAIN.LOCAL'. A  'root' or SID
'S-2-8-21-338539323-9078145449-725348543-25819'

Error: command failed: Failed to get user credentials. Reason: "Kerberos Error: Clients credentials have been revoked".

• EMS 

Example:

Mar 09 23:21:08 -0800 [node-01: secd: secd.cifsAuth.problem:error]: vserver (test) General CIFS authentication problem. Error: User authentication procedure failed (Retries: 2) CIFS SMB2 Share mapping - Client Ip = 10.100.XXX.XXX
[ 3001] Attempt 1 FAILURE: Unexpected state: Error 6776 at file:src/FrameWork/Socket.cpp func:ReceiveDataOnSocket line:1233 [ 6015] Attempt 2 FAILURE: Pass-through authentication request failed.
[6016 ms] Login attempt by domain user 'AD\user' it could be a client issue or a cache credential issue in the client.

• SECD log shows that ONTAP count not get credentials for the user

Example:

                       .------------------------------------------------------------------------------.
[kern_secd:info:10210] |                                 RPC FAILURE:                                 |
[kern_secd:info:10210] |                      secd_rpc_auth_get_creds has failed                      |
[kern_secd:info:10210] |                        Result = 0, RPC Result = 7519                         |
[kern_secd:info:10210] |                   RPC received at Mon xxxxxxxxxxxxxxxx                 |
[kern_secd:info:10210] |------------------------------------------------------------------------------'
[kern_secd:info:10210] Failure Summary:
[kern_secd:info:10210] Error: Get user credentials procedure failed
[kern_secd:info:10210]   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'
[kern_secd:info:10210]   [   218] UNIX user 'user1' mapped to Windows user 'domain\winuser'
[kern_secd:info:10210]   [   218] Using cached 'domain\winuser' SID mapping.
[kern_secd:info:10210]   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP
[kern_secd:info:10210] **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.local'. Access denied.
[kern_secd:info:10210]   [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
...
[kern_secd:info:10210] | [000.009.096]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:762
[kern_secd:info:10210] | [000.009.105]  ERR  :  getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Clients credentials have been revoked)
[kern_secd:info:10210] | [000.011.467]  ERR  :  Could not get credentials via S4U2Self based on full Windows user name 'winuser@domain.domain.COM'. Access denied. { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1211 }
[kern_secd:info:10210] | [000.011.475]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1212
[kern_secd:info:10210] | [000.011.481]  ERR  :  Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1240 }
[kern_secd:info:10210] | [000.011.486]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1540
[kern_secd:info:10210] | [000.011.512]  debug:  SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
[kern_secd:info:10210] | [000.011.569]  ERR  :  RESULT_ERROR_SECD_CIFS_CRED_LOOKUP_FAILED:6988 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348