Skip to main content
NetApp Knowledge Base

SSH to cluster CLI using users from CIFS server's trusted domain fails

Views:
39
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9 
  • CIFS domain-tunnel
  • SSH

Issue

  • Cifs server belongs to NASLAB.LOCAL domain 

::> cifs show -instance
                                          Vserver: vs1
                         CIFS Server NetBIOS Name: VS1
                    NetBIOS Domain/Workgroup Name: NASLAB
                      Fully Qualified Domain Name: NASLAB.LOCAL
                              Organizational Unit: CN=Computers
                             Authentication Style: domain
                CIFS Server Administrative Status: up

  • domain-tunnel is created with svm vs1

::> security login domain-tunnel show
Tunnel Vserver: vs1

  • Users from trusted domain(BLRLAB) are not able to SSH to cluster CLI.
  • Fetching creds for the user from trusted domain fails

::> set adv

Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.
Do you want to continue? {y|n}: y


::*> vserver services access-check authentication show-creds -node node1 -vserver vs1 -win-name blrlab\user1
Vserver: vs1 (internal ID: 6)
Error: Get user credentials procedure failed
  ...
           (KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
  [  5725] Failed to initiate Kerberos authentication. Trying NTLM.
  [  7726] TCP connection to ip 10.1.1.1, port 389 failed:
           Operation timed out.
  [ 10032] TCP connection to ip 10.2.2.2, port 389 failed:
           Operation timed out.
  [ 12439] TCP connection to ip 10.3.3.3, port 389 failed:
           Operation timed out.
  [ 15005] TCP connection to ip 10.4.4.4, port 389 failed:
           Operation timed out.

**[ 15006] FAILURE: Unable to make a connection (LDAP (Active
**         Directory):blrlab.local), result: 6942
  [ 15006] Could not get credentials via LDAP for Windows user
           '435970-a' based on SID
           'S-1-5-21-2573208799-187067640-1722879566-575467'
  [ 15006] Could not get credentials for Windows user 'user1' or
           '435970-a' based on SID
           'S-1-5-21-2573208799-187067640-1722879566-575467'
  [ 15006] Could not get credentials for Windows user 'user1' or
           SID 'S-1-5-21-2573208799-187067640-1722879566-575467'

NOTE: Users from same domain(NASLAB) are able to SSH to cluster CLI without any problems. 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

Scan to view the article on your device