Skip to main content
NetApp Knowledge Base

NFS access to NTFS volume fails with "access denied" after 9.7 due to AD Account is locked-disabled-expired

Views:
1,965
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • NFS
  • NTFS security style volume

Issue

  • NFS user gets "access denied" when trying to access the NFS mount (NTFS security style)
  • Fetching credentials for the NFS user user1 fails 

Cluster::*> diag secd authentication show-creds -vserver svm1 -node node1 -unix-user-name user1
Vserver: svm1 (internal ID: 3)
Error: Get user credentials procedure failed
  [  0 ms] Determined UNIX id 8309 is UNIX user 'user1'
  [     0] UNIX user 'user1' mapped to Windows user
           'naslab\winuser'
  [     0] Using cached 'naslab\winuser' SID mapping.
  [     5] Successfully connected to ip 1x.xx.xx.xx, port 88
           using TCP
**[    10] FAILURE: Could not get credentials via S4U2Self based on
**         full Windows user name
**         'winuser@naslab.local'. Access
**         denied.
  [    10] Could not get credentials for Windows user 'winuser'
           or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'

  
Error: command failed: Failed to get user credentials. Reason: "Kerberos Error: Clients credentials have been revoked".

SECD logs:

  • Fetching credentials via S4U2SELF fails with error "Clients credentials have been revoked"

                       .------------------------------------------------------------------------------.
[kern_secd:info:10210] |                                 RPC FAILURE:                                 |
[kern_secd:info:10210] |                      secd_rpc_auth_get_creds has failed                      |
[kern_secd:info:10210] |                        Result = 0, RPC Result = 7519                         |
[kern_secd:info:10210] |                   RPC received at Mon xxxxxxxxxxxxxxxx                 |
[kern_secd:info:10210] |------------------------------------------------------------------------------'
[kern_secd:info:10210] Failure Summary:
[kern_secd:info:10210] Error: Get user credentials procedure failed
[kern_secd:info:10210]   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'
[kern_secd:info:10210]   [   218] UNIX user 'user1' mapped to Windows user 'naslab\winuser'
[kern_secd:info:10210]   [   218] Using cached 'naslab\winuser' SID mapping.
[kern_secd:info:10210]   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP
[kern_secd:info:10210] **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.local'. Access denied.
[kern_secd:info:10210]   [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
...
[kern_secd:info:10210] | [000.009.096]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:762
[kern_secd:info:10210] | [000.009.105]  ERR  :  getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Clients credentials have been revoked)
[kern_secd:info:10210] | [000.011.467]  ERR  :  Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.MARRCORP.MARRIOTT.COM'. Access denied. { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1211 }
[kern_secd:info:10210] | [000.011.475]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1212
[kern_secd:info:10210] | [000.011.481]  ERR  :  Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1240 }
[kern_secd:info:10210] | [000.011.486]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1540
[kern_secd:info:10210] | [000.011.512]  debug:  SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
[kern_secd:info:10210] | [000.011.569]  ERR  :  RESULT_ERROR_SECD_CIFS_CRED_LOOKUP_FAILED:6988 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348

EMS logs :
[node1: secd: secd.nfsAuth.noCifsCred:error]: vserver (svm1) NFS authorization cannot retrieve CIFS credentials. Error: Get user credentials procedure failed   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'   [   218] UNIX user 'ftps' mapped to Windows user 'naslab\winuser'   [   218] Using cached 'naslab\winuser' SID mapping.   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.local'. Access denied.   [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' 
 

Name-mapping :

Cluster::*> vserver  name-mapping show -vserver  svm1
Vserver:   svm1
Direction: unix-win
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: user1
                                          Replacement: naslab\\winuser

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support

 

******************************************************* *******************************************************