Some SIDs cannot be found in AD and cannot be resolved
Applies to
- Cloud Volumes ONTAP (CVO)
- Active Directory (AD)
- CIFS
- NFS
Issue
- Some SIDs cannot be found in AD and cannot be resolved.
- NFS is not being used on that CVO but EMS log shows:
11/1/202211:15:07 EAZNACVO01SP-01 ERROR secd.nfsAuth.problem:vserver (svm1) General NFS authorization problem. Error: Get usercredentials procedure failed**[ 5728] FAILURE: Timed out waiting for a LSA connection after 5 seconds
[ 5728] Unable to make a connection (LSA:XX.XXX.XXXXX.COM), result: 7015
[ 5732] Could not find Windows SID'S-1-5-21-XXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXXX'
- secd log shows many errors like this one:
[kern_secd:info:9554] .------------------------------------------------------------------------------.
[kern_secd:info:9554] | RPC FAILURE: |
[kern_secd:info:9554] | secd_rpc_auth_get_creds has failed |
[kern_secd:info:9554] | Result = 0, RPC Result = 6909 |
[kern_secd:info:9554] | RPC received at Sat Nov 5 15:45:01 2022 |
[kern_secd:info:9554] |------------------------------------------------------------------------------'
[kern_secd:info:9554] Failure Summary:
[kern_secd:info:9554] Error: Get user credentials procedure failed
[kern_secd:info:9554] [ 50 ms] Using a cached connection to XXXXXXX.XX.XX.XXXXX.com
[kern_secd:info:9554] [ 105] Could not find Windows SID 'S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX'
[kern_secd:info:9554] **[ 105] FAILURE: Unexpected state: Error 6909 at file:src/utils/secd_cifs_utils.cpp func:lookupSid line:561
[kern_secd:info:9554] **[ 106] FAILURE: Error case not correctly journaled
[kern_secd:info:9554] Details:
- sktrace log shows many errors like this one:
2022-11-10T15:45:35Z 316493109266443 [4:0] NBLADE_Chk: n0xb5888a: src/Protocols/Cifs/Support/Smb2Utils.cpp:1249 rt=7303
2022-11-10T15:45:35Z 316493109270220 [4:0] NBLADE_Chk: n0xb50aea: src/Protocols/Cifs/SmbRequests/Smb2SetInfoCmd.cpp:745 rt=7303
2022-11-10T15:45:35Z 316493109271894 [4:0] NBLADE_Chk: n0xb4e047: src/Protocols/Cifs/SmbRequests/Smb2SetInfoCmd.cpp:243 rt=7303
- There is also an indication that the domain controllers may be overloaded by the number of requests when that specific EMS log entry appears:
| RPC FAILURE: |
| secd_rpc_auth_get_creds has failed |
| Result = 0, RPC Result = 7015 |
| RPC received at Wed Nov 9 15:16:25 2022 |
|------------------------------------------------------------------------------
Failure Summary:
Error: Get user credentials procedure failed
**[ 5487] FAILURE: Timed out waiting for a LSA connection after 5 seconds
[ 5487] Unable to make a connection (LSA:XXXXXXX.XX.XX.XXXXX.com), result: 7015
[ 5491] Could not find Windows SID 'S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX'
Details:
| [000.000.011] debug: Worker Thread 34510491136 processing RPC 153:secd_rpc_auth_get_creds(caller: NBLADE_CIFS) with request ID:8924 which sat in the queue for
| [000.000.020] debug: Client IP as found in the request: { in secd_rpc_auth_get_creds_1_svc_secd() at src/authorization/secd_rpc_authorization.cpp:1443 }
| [000.000.027] debug: Setting thread context. VServerId = 3 (name='svm1'), Protocol = CIFS, lifId = 0 { in setThreadContext() at
| [000.000.035] debug: secd_rpc_auth_get_creds_1_svc called with vserverid = 3 { in secd_rpc_auth_get_creds_1_svc_secd() at
| [000.000.039] debug: Getting creds for VserverId: 3 { in secd_rpc_auth_get_creds_1_svc_secd() at src/authorization/secd_rpc_authorization.cpp:1450 }
| [000.000.078] debug: Not a CIFS SID. { in handleCifsFakedSidToName() at src/authorization/secd_cifs_authorization.cpp:813 }
| [000.000.087] debug: Not an NfsV4 SID. { in handleNfsV4SidToName() at src/authorization/secd_cifs_authorization.cpp:1067 }
| [000.000.100] debug: Looking for LSA cache (key: "XX.XXX.XXXXX.com") in vserver 3 { in getConnectionCache() at
| [005.486.707] ERR : Timed out waiting for a LSA connection after 5 seconds { in grab() at src/connection_manager/secd_connection_cache.cpp:111 }
| [005.486.714] ERR : RESULT_ERROR_SECD_CONNECTION_WAIT_TIMEOUT:7015 in grab() at src/connection_manager/secd_connection_cache.cpp:112
| [005.486.731] ERR : RESULT_ERROR_SECD_CONNECTION_WAIT_TIMEOUT:7015 in getConnection() at src/connection_manager/secd_connection_manager.cpp:598
| [005.486.738] ERR : Unable to make a connection (LSA:XXXXXXX.XX.XX.XXXXX.com), result: 7015 { in getConnection() at
| [005.490.363] debug: Vserver's operational state: running { in isVserverRunning() at src/configuration_manager/secd_configuration_manager.cpp:2765 }
| [005.490.383] debug: Logged secd.lsa.noServers to EMS { in logEmsEventForLsaError() at src/utils/secd_ems_utils.cpp:559 }
| [005.490.389] ERR : RESULT_ERROR_SECD_CONNECTION_WAIT_TIMEOUT:7015 in getLsaConnection() at src/connection_manager/secd_connection_manager.cpp:105
| [005.490.394] ERR : RESULT_ERROR_SECD_CONNECTION_WAIT_TIMEOUT:7015 in getNameFromSid() at src/authorization/secd_cifs_authorization.cpp:650
| [005.490.401] info : Could not find Windows SID 'S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX' { in getNameFromSid() at
| [005.490.413] ERR : RESULT_ERROR_SECD_CONNECTION_WAIT_TIMEOUT:7015 in secd_rpc_auth_get_creds_1_svc_secd() at src/authorization/secd_rpc_authorization.cpp:155
| [005.490.430] debug: SecD RPC Server sending reply to RPC 153: secd_rpc_auth_get_creds { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2153 }
| [005.490.467] ERR : RESULT_ERROR_SECD_CONNECTION_WAIT_TIMEOUT:7015 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348
| [005.492.747] debug: Vserver's operational state: running { in isVserverRunning() at src/configuration_manager/secd_configuration_manager.cpp:2765 }
| [005.492.765] debug: Logged unhandled NFS auth failure code '7015' to EMS using the EMS_secd_nfsAuth_problem EMS { in logEmsEventWithJournalForNfsAuthError()
- High latency and slow throughput when migrating data due to username mapping on a CIFS share that is shared via NFS. The user mapping and checking ACLs overloads the LDAP servers