Cannot change security encryption types on a vserver error: LDAP attribute missing
Applies to
- ONTAP 9
- CIFS/SMB
- Acitve Directory (AD)
- Encryption
Issue
- Changing advertised encryption on a vserver is failing:
::*> vserver cifs security modify -vserver svm1 -advertised-enc-types rc4, des,aes-128, aes-256
Error: command failed: Password update failed. Reason: SecD Error: LDAP attribute missing.
SECD Logs
:
[kern_secd:info:14581] Failure Summary:
[kern_secd:info:14581] Error: CIFS server password reset procedure failed
[kern_secd:info:14581] [ 6 ms] Successfully connected to ip 10.174.20.5, port 636 using TCP
[kern_secd:info:14581] **[ 189] FAILURE: Unexpected state: Error 7054 at file:src/utils/secd_ldap_utils.cpp func:getLdapValueLen line:464
[kern_secd:info:14581] **[ 189] FAILURE: Error case not correctly journaled
[kern_secd:info:14581] Details:
[kern_secd:info:15488] | [000.041.119] debug: Successfully authenticated over LDAP with dc.domain.com { in connect() at src/connection_manager/secd_connection.cpp:2650 }
[kern_secd:info:15488] | [000.041.129] debug: Connected to new LDAP (Active Directory) service on dc.domain.com { in makeConnectionAttempt() at src/connection_manager/secd_connection_manager.cpp:1048 }
[kern_secd:info:15488] | [000.041.227] debug: Searching LDAP for the "distinguishedName, msDS-SupportedEncryptionTypes" attribute(s) within base "dc=domain,dc=com" (scope: 2) using filter: (&(sAMAccountName=SVM1$)) { in searchLdap() at src/utils/secd_ldap_utils.cpp:324 }
[kern_secd:info:15488] | [000.042.968] ERR : RESULT_ERROR_SECD_LDAP_ATTRIBUTE_MISSING:7054 in getLdapValueLen() at src/utils/secd_ldap_utils.cpp:464
[kern_secd:info:15488] | [000.042.977] ERR : LDAP returned 0 results for attribute msDS-SupportedEncryptionTypes
[kern_secd:info:15488] | [000.042.985] ERR : RESULT_ERROR_SECD_LDAP_ATTRIBUTE_MISSING:7054 in adGetAccountEncryptionType() at src/utils/secd_ad_utils.cpp:3574
[kern_secd:info:15488] | [000.042.992] ERR : RESULT_ERROR_SECD_LDAP_ATTRIBUTE_MISSING:7054 in getLdapConnToSetEtypeAttr() at src/domain_services/secd_domain_services.cpp:1821
[kern_secd:info:15488] | [000.042.997] ERR : RESULT_ERROR_SECD_LDAP_ATTRIBUTE_MISSING:7054 in secd_rpc_ad_change_password_1_svc_secd() at src/domain_services/secd_domain_services.cpp:1889
- Other vservers can modify their encryption with no issues
- When checking the value in PowerShell on the AD server no value is returned:
PS> Get-ADComputer <CIFS_Server_NetBIOS_Name> -properties * | select msDS-SupportedEncryptionTypes