Skip to main content
NetApp Knowledge Base

Machine account creation fails when using Channel Binding for AD LDAP Connection

Views:
1,828
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
NAS
Last Updated:

Applies to

  • ONTAP 9.10.1 and onwards
  • Active Directory LDAP
  • CIFS server
  • LDAP channel binding

Issue

  • Machine account creation failed with LDAP local error when using Channel Binding for AD LDAP Connection
cluster1::> vserver active-directory create -account-name svm1 -domain ntap.local -ou OU=test,OU=netapp -vserver svm1
 
In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "OU=test,OU=netapp" container within the "NTAP.LOCAL" domain.
Enter the user name: <account>
Enter the password:
Error: Machine account creation procedure failed
[20336] Loaded the preliminary configuration.
[ 20361] Successfully connected to ip 10.10.10.11, port 88 using TCP
[20429] Successfully connected to ip 10.10.10.11, port 636 using TCP
[ 20719] Successfully connected to ip 10.10.10.11, port 88 using TCP
[ 20751] FAILURE: Unable to SASL bind to LDAP server using GSSAPI: Local error
[ 20751] Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
[ 20753]Unable to start LDAPS: Local error
[ 20753] Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
[ 20753] Unable to connect to LDAP (Active Directory) service on dc01.ntap.local (Error: Local error)
[ 20753] Unable to make a connection (LDAP (Active Directory):NTAP.LOCAL), result: 7643
Error: command failed: Failed to create the ActiveDirectory machine account "svm01". Reason: LDAP Error: Local error occurred.
 
  • SecD shows LDAP SASL bind failed using Spenego with 'Invalid credentials" error, and reports "local error" when using GSSAPI and channel binding
 
00000014.00099b77 0169eaf8 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.526.942]  info :  Successfully connected to ip 10.10.10.11, port 636 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:497 }
00000014.00099b78 0169eaf8 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.619.995]  debug:  ldap_sasl_bind_s returned 49  { in ldapSaslBindSpnego() at src/connection_manager/secd_connection.cpp:774 }
00000014.00099b79 0169eaf8 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.620.026]  ERR  :  RESULT_ERROR_LDAPSERVER_INVALID_CREDENTIALS:7627 in ldapSaslBindSpnego() at src/connection_manager/secd_connection.cpp:780
00000014.00099b7a 0169eaf8 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.620.035]  ERR  :  ldapSaslBindSpnego: LDAP Error: (49): 'Invalid credentials':
00000014.00099b7b 0169eaf8 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.620.517]  debug:  Invalid credentials. Trying with SIGN  { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:1010 }
 
00000014.00099c19 0169eb00 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.786.549]  info :  [krb5 context 08CE2E00] Received answer from stream 10.10.10.11:88
00000014.00099c1a 0169eb00 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.786.597]  info :  [krb5 context 08CE2E00] TGS request result: -1765328377/Server not found in Kerberos database
00000014.00099c1b 0169eb00 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.786.830]  ERR  :  LDAP SASL bind failed using GSSAPI and channel binding. Error: -2(Local error)  { in ldapSaslBindGssapi() at src/connection_manager/secd_connection.cpp:633 }
00000014.00099c1c 0169eb00 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.786.836]  debug:  Retrying bind without channel binding  { in ldapSaslBindGssapi() at src/connection_manager/secd_connection.cpp:637 }
 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.