Failed to enable LDAP session security in a disjoint namespace
Applies to
- ONTAP 9
- CIFS
- Disjoint namespace
Issue
- SVM joined to AD domain in disjoint namespace
- Cannot enable AES encryption for Kerberos as password reset fails:
::> vserver cifs security modify -vserver svm1 -is-aes-encryption-enabled true
Error: command failed: Password update failed. Reason: SecD Error: no server available.
- AD-LDAP connections fail after enabling signing and/or sealing for Client session in vserver cifs security
cluster2::> vserver cifs security show -vserver svm1
Vserver: svm1
Kerberos Clock Skew: 5 minutes
Kerberos Ticket Age: 10 hours
Kerberos Renewal Age: 7 days
Kerberos KDC Timeout: 3 seconds
Is Signing Required: false
Is Password Complexity Required: true
Use start_tls for AD LDAP connection: false
(DEPRECATED)-Is AES Encryption Enabled: true
LM Compatibility Level: lm-ntlm-ntlmv2-krb
Is SMB Encryption Required: false
Client Session Security: sign
(DEPRECATED)-SMB1 Enabled for DC Connections: false
SMB2 Enabled for DC Connections: system-default
LDAP Referral Enabled For AD LDAP connections: false
Use LDAPS for AD LDAP connection: false
Encryption is required for DC Connections: false
AES session key enabled for NetLogon channel: false
Try Channel Binding For AD LDAP Connections: true
Encryption Types Advertised to Kerberos:
aes-256, aes-128, rc4, des
- EMS logs will contain
secd.conn.auth.failure
errors - SecD logs may contain following entries:
Rcode received from the DNS server(10.11.12.13): 0 when querying 14.12.11.10.in-addr.arpa
Getting credentials SVM1$@SUB.DOMAIN.COM -> ldap/ad1.domain.com@
Retrying SVM1$@SUB.DOMAIN.COM -> ldap/ad1.domain.com@SUB.DOMAIN.COM with result: -1765328243/Matching credential not found
TGS request result: -1765328377/Server not found in Kerberos database
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)