Skip to main content
NetApp Knowledge Base

Failed to enable LDAP session security in a disjoint namespace

  1. Last updated
  2. Save as PDF
Views:
80
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • CIFS
  • Disjoint namespace

Issue

  • SVM joined to AD domain in disjoint namespace
  • Cannot enable AES encryption for Kerberos as password reset fails:

::> vserver cifs security modify -vserver svm1 -is-aes-encryption-enabled true
Error: command failed: Password update failed. Reason: SecD Error: no server available.

  • AD-LDAP connections fail after enabling signing and/or sealing for Client session in vserver cifs security

cluster2::> vserver cifs security show -vserver svm1

Vserver: svm1

                            Kerberos Clock Skew:                   5 minutes
                            Kerberos Ticket Age:                  10 hours
                           Kerberos Renewal Age:                   7 days
                           Kerberos KDC Timeout:                   3 seconds
                            Is Signing Required:               false
                Is Password Complexity Required:                true
           Use start_tls for AD LDAP connection:               false
         (DEPRECATED)-Is AES Encryption Enabled:                true
                         LM Compatibility Level:  lm-ntlm-ntlmv2-krb
                     Is SMB Encryption Required:               false
                        Client Session Security:                sign
   (DEPRECATED)-SMB1 Enabled for DC Connections:               false
                SMB2 Enabled for DC Connections:      system-default
  LDAP Referral Enabled For AD LDAP connections:               false
               Use LDAPS for AD LDAP connection:               false
      Encryption is required for DC Connections:               false
   AES session key enabled for NetLogon channel:               false
    Try Channel Binding For AD LDAP Connections:                true
        Encryption Types Advertised to Kerberos:
                                          aes-256, aes-128, rc4, des

  • EMS logs will contain secd.conn.auth.failure errors
  • SecD logs may contain following entries:

Rcode received from the DNS server(10.11.12.13): 0 when querying 14.12.11.10.in-addr.arpa
Getting credentials SVM1$@SUB.DOMAIN.COM -> ldap/ad1.domain.com@
Retrying SVM1$@SUB.DOMAIN.COM -> ldap/ad1.domain.com@SUB.DOMAIN.COM with result: -1765328243/Matching credential not found
TGS request result: -1765328377/Server not found in Kerberos database
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.