Skip to main content
NetApp Knowledge Base

NFS access to NTFS volume fails with "access denied" after ONTAP upgrade due to AD Account is locked-disabled-expired

Views:
3,282
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • NFS
  • NTFS security style volume

Issue

  • NFS user gets "access denied" when trying to access the NFS mount (NTFS security style)
  • Fetching credentials for the NFS user user1 fails 

Cluster::*> diag secd authentication show-creds -vserver svm1 -node node1 -unix-user-name user1
Vserver: svm1 (internal ID: 3)
Error: Get user credentials procedure failed
  [  0 ms] Determined UNIX id 8309 is UNIX user 'user1'
  [     0] UNIX user 'user1' mapped to Windows user
           'naslab\winuser'
  [     0] Using cached 'naslab\winuser' SID mapping.
  [     5] Successfully connected to ip 1x.xx.xx.xx, port 88
           using TCP
**[    10] FAILURE: Could not get credentials via S4U2Self based on
**         full Windows user name
**         'winuser@naslab.local'. Access
**         denied.
  [    10] Could not get credentials for Windows user 'winuser'
           or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'

  
Error: command failed: Failed to get user credentials. Reason: "Kerberos Error: Clients credentials have been revoked".

SECD logs:

  • Fetching credentials via S4U2SELF fails with error "Clients credentials have been revoked"

                       .------------------------------------------------------------------------------.
[kern_secd:info:10210] |                                 RPC FAILURE:                                 |
[kern_secd:info:10210] |                      secd_rpc_auth_get_creds has failed                      |
[kern_secd:info:10210] |                        Result = 0, RPC Result = 7519                         |
[kern_secd:info:10210] |                   RPC received at Mon xxxxxxxxxxxxxxxx                 |
[kern_secd:info:10210] |------------------------------------------------------------------------------'
[kern_secd:info:10210] Failure Summary:
[kern_secd:info:10210] Error: Get user credentials procedure failed
[kern_secd:info:10210]   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'
[kern_secd:info:10210]   [   218] UNIX user 'user1' mapped to Windows user 'naslab\winuser'
[kern_secd:info:10210]   [   218] Using cached 'naslab\winuser' SID mapping.
[kern_secd:info:10210]   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP
[kern_secd:info:10210] **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.local'. Access denied.
[kern_secd:info:10210]   [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx'
...
[kern_secd:info:10210] | [000.009.096]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getUserCredViaS4U2Self() at src/utils/secd_krb_utils.cpp:762
[kern_secd:info:10210] | [000.009.105]  ERR  :  getUserCredViaS4U2Self: GSSAPI Error: (d0000), Kerberos Error: (Clients credentials have been revoked)
[kern_secd:info:10210] | [000.011.467]  ERR  :  Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.MARRCORP.MARRIOTT.COM'. Access denied. { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1211 }
[kern_secd:info:10210] | [000.011.475]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1212
[kern_secd:info:10210] | [000.011.481]  ERR  :  Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' { in getCredentials() at src/authorization/secd_cifs_authorization.cpp:1240 }
[kern_secd:info:10210] | [000.011.486]  ERR  :  RESULT_ERROR_KERBEROS_CLIENT_REVOKED:7519 in secd_rpc_auth_get_creds_1_svc() at src/authorization/secd_rpc_authorization.cpp:1540
[kern_secd:info:10210] | [000.011.512]  debug:  SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2127 }
[kern_secd:info:10210] | [000.011.569]  ERR  :  RESULT_ERROR_SECD_CIFS_CRED_LOOKUP_FAILED:6988 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348

EMS logs :
[node1: secd: secd.nfsAuth.noCifsCred:error]: vserver (svm1) NFS authorization cannot retrieve CIFS credentials. Error: Get user credentials procedure failed   [  1 ms] Determined UNIX id 8309 is UNIX user 'user1'   [   218] UNIX user 'ftps' mapped to Windows user 'naslab\winuser'   [   218] Using cached 'naslab\winuser' SID mapping.   [   221] Successfully connected to ip 1x.xx.xx.xx, port 88 using TCP **[   225] FAILURE: Could not get credentials via S4U2Self based on full Windows user name 'winuser@naslab.local'. Access denied.   [   225] Could not get credentials for Windows user 'winuser' or SID 'S-1-5-21-1xxxxxx-15xxxx-72xxxx-12xxx' 
 

Name-mapping :

Cluster::*> vserver  name-mapping show -vserver  svm1
Vserver:   svm1
Direction: unix-win
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: user1
                                          Replacement: naslab\\winuser

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

Scan to view the article on your device