Skip to main content
NetApp Knowledge Base

Domain user fails to login cluster with Domain-Tunnel

Views:
451
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • Domain Tunnel
  • Kerberos
  • NTLM
  • Active Directory (AD)

Issue

  • EMS Log: Fail to authenticate login attempt to Vserver
[?]  Sun Jan 21 19:47:13 -0700 [slc-prod-cluster2-01: mgwd: useradmin.added.deleted:info]: The user 'CORP\domain_account' has been deleted.
[?]  Sun Jan 21 19:47:58 -0700 [slc-prod-cluster2-01: mgwd: useradmin.added.deleted:info]: The user 'corp\domain_account' has been added.
[?]  Sun Jan 21 19:49:46 -0700 [slc-prod-cluster2-01: mgwd: security.invalid.login:alert]: Failed to authenticate login attempt to Vserver: slc-prod-cluster2, username: pii_encrypt/uK42fNcKIUsl+DKhHvT3Njwg+PLkEO0XU6BJiVqvRAziA2VSN4OfEysfBlitRjlb/pii_encrypt, application: ssh.
[?]  Sun Jan 21 19:49:50 -0700 [slc-prod-cluster2-01: sshd: sshd.auth.loginDenied:notice]: params: {'message': 'Failed keyboard-interactive / pam for CORP\\domain_account from IP port 51416 ssh2  '}
  • Mgwd log: DC authentication rejected due to 0xC0000070(STATUS_INVALID_WORKSTATION)
00000008.006bf6c5 024f5a46 Sun Jan 21 2024 19:49:46 -07:00 [kern_mgwd:info:3156] 0x820b91300: 0: ERR: PAM::DOMAIN: src/pam/pam_domain_auth.cc : pam_sm_authenticate : pam_domain_auth: Authentication rejected for user CORP\domain_account. DC Returned 0xc0000070
00000008.006bf6c7 024f5a46 Sun Jan 21 2024 19:49:46 -07:00 [kern_mgwd:info:3156] 0x820b91300: 0: ERR: PAM::DOMAIN: pam_sm_authenticate : Found PAM failed
00000008.006bf6c8 024f5a46 Sun Jan 21 2024 19:49:46 -07:00 [kern_mgwd:info:3156] Error: PAM failed to authenticate user 'cii_encrypt/uK42fNcKIUsl+DKhHvT3NmIwXnnNmYpu0QMG9M4CQZs=/cii_encrypt\pii_encrypt/uK42fNcKIUsl+DKhHvT3NhUzNLNZziKlhU6i1V3A8h0kJlpfAh55q6iccxbcrizu/pii_encrypt', application 'ssh', vserver 4294967295: Authentication failure
  • Fails to initiate Kerberos authentication. And then try NTLM.
00000008.007c288b 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.132]  warn :  No matching EMS message for Kerberos error: KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP)  { in logEmsEventForKrbError() at src/utils/secd_ems_utils.cpp:338 }
00000008.007c288c 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.142]  info :  KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP)
00000008.007c288d 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.174]  ERR  :  RESULT_ERROR_SECLIB_GSSAPI_NO_SERVER_CREDS:7129 in start() at src/GssapiCtx.cpp:653
00000008.007c288e 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.009.180]  info :  Failed to initiate Kerberos authentication. Trying NTLM.
00000008.007c288f 02ab0f84 Sun Jan 28 2024 18:47:07 -07:00 [kern_secd:info:15485] | [000.010.084]  ERR  :  Encountered NT error (NT_STATUS_MORE_PROCESSING_REQUIRED) for SMB command SessionSetup  { in LogNtStatusCode() at src/Commands/Commands.cpp:589 }

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.