CONTAP-155703: SecD becoming unresponsive due to socket leak on port 389
Issue
- In certain rare conditions, Security Daemon (SecD) might become unresponsive due to shortage of file descriptors in the system for LDAP startTLS port 389 connections.
- This issue will be seen only if multiple CIFS trusted domains are being discovered.
- Cannot access all CIFS shares in a Trusted Domain environment
::> cifs domain trusts show -vserver SVM
- EMS logs:
[node-01: secd: secd.cifsAuth.problem:error]: vserver (<vserver_name>) General CIFS authentication problem. Error: User authentication procedure failed CIFS SMB2 Share mapping - Client Ip = 1.22.333.444 [ 0 ms] Login attempt by domain user 'domain\user' using NTLMv2 style security [ 0] Unable to connect to NetLogon service on domain.com (Error: RESULT_ERROR_SPINCLIENT_SOCKET_CONNECT_ERROR) [ 0] No servers available for MS_NETLOGON, vserver: 8, domain: dom.com ** [ 0] FAILURE: Unable to make a connection (NetLogon:DOMAIN.COM), Result: RESULT_ERROR_SECD_NO_SERVER_AVAILABLE [ 0] CIFS authentication failed
- SECD logs:
Failed to open file: /mroot/etc/cluster_config/vserver/.vserver_<number>/config/name_services//etc/resolv.conf. Error: Too many open files ERR : Error!!! Socket Error: Too many open files { in DisplayPerror() at src/Support/CustomErrors.cpp:56 } ERR : ldapSaslBindGssapi: Kerberos Error: 'Too many open files'
- Other symptoms are in EMS:
secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.dc._msdcs.ds.domain.com) for vserver (<SVM>) with error (No such process) secd.dns.srv.lookup.failed:error]: DNS server failed to look up service (_ldap._tcp.domain._sites.corp.domain.com) for vserver (SVM_ontap) with error (Too many open files). Failed to create RPC client handle to MGWD: 127.0.0.1: RPC: Remote address unknown Unable to connect to NetLogon service on <domain controller> (Error: RESULT_ERROR_SECD_COULD_NOT_CREATE_RPC_HANDLE_TO_MGWD)