Skip to main content
NetApp Knowledge Base

SSH to cluster CLI using users from CIFS server's trusted domain fails

Views:
150
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9 
  • CIFS domain-tunnel
  • SSH

Issue

  • Cifs server belongs to NASLAB.LOCAL domain 

::> cifs show -instance
                                          Vserver: vs1
                         CIFS Server NetBIOS Name: VS1
                    NetBIOS Domain/Workgroup Name: NASLAB
                      Fully Qualified Domain Name: NASLAB.LOCAL
                              Organizational Unit: CN=Computers
                             Authentication Style: domain
                CIFS Server Administrative Status: up

  • domain-tunnel is created with svm vs1

::> security login domain-tunnel show
Tunnel Vserver: vs1

  • Users from trusted domain(BLRLAB) are not able to SSH to cluster CLI.
  • Fetching creds for the user from trusted domain fails

::> set adv

Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.
Do you want to continue? {y|n}: y


::*> vserver services access-check authentication show-creds -node node1 -vserver vs1 -win-name blrlab\user1
Vserver: vs1 (internal ID: 6)
Error: Get user credentials procedure failed
  ...
           (KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
  [  5725] Failed to initiate Kerberos authentication. Trying NTLM.
  [  7726] TCP connection to ip 10.1.1.1, port 389 failed:
           Operation timed out.
  [ 10032] TCP connection to ip 10.2.2.2, port 389 failed:
           Operation timed out.
  [ 12439] TCP connection to ip 10.3.3.3, port 389 failed:
           Operation timed out.
  [ 15005] TCP connection to ip 10.4.4.4, port 389 failed:
           Operation timed out.

**[ 15006] FAILURE: Unable to make a connection (LDAP (Active
**         Directory):blrlab.local), result: 6942
  [ 15006] Could not get credentials via LDAP for Windows user
           '435970-a' based on SID
           'S-1-5-21-2573208799-187067640-1722879566-575467'
  [ 15006] Could not get credentials for Windows user 'user1' or
           '435970-a' based on SID
           'S-1-5-21-2573208799-187067640-1722879566-575467'
  [ 15006] Could not get credentials for Windows user 'user1' or
           SID 'S-1-5-21-2573208799-187067640-1722879566-575467'

NOTE: Users from same domain(NASLAB) are able to SSH to cluster CLI without any problems. 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.