Cannot modify CIFS server's AD object because KRB5_KDC_UNREACH
Applies to
- ONTAP
- CIFS
- Active Directory
- Kerberos
Issue
- Active Directory was used to change the password of the CIFS server's machine account, instead of using an ONTAP CLI command like
cifs password-reset- This causes the CIFS server's password stored in ONTAP and AD to become out of sync, preventing ONTAP from authenticating to AD, preventing CIFS clients from accessing files
- When attempting to synchronize the password by using a
cifs modifycommand to recreate the machine account, the creation of the new machine account succeeds, but the setting of the new password fails.-
::> cifs modify -vserver svm1 -cifs-server svm01 5/30/2024 16:58:58 node-1 ERROR secd.unexpectedFailure: Unexpected SecD failure in Vserver "svm1". Details: Error: Machine account creation procedure failed [ 11] Loaded the preliminary configuration. [ 72] Created a machine account in the domain [ 73] SID to name translations of Domain Users and Admins completed successfully [ 75] Modified account 'cn=one,OU=two,OU=three,DC=local' [ 76] Successfully connected to ip x.x.x.x, port 88 using TCP [ 2079] TCP connection to ip y.y.y.y, port 464 failed: Operation timed out. [ 6114] TCP connection to ip a.a.a.a, port 464 failed: Operation timed out. [ 8116] TCP connection to ip b.b.b.b, port 464 failed: Operation timed out. **[ 34171] FAILURE: Kerberos password set for 'svm01$@domain.LOCAL' failed with Cannot contact any KDC for requested realm (KRB5_KDC_UNREACH) [ 34171] Retry requested, but the retry window (7000 ms) has expired; giving up.
-