Machine account creation fails when using Channel Binding for AD LDAP Connection
Applies to
- ONTAP 9.10.1 and onwards
- Active Directory LDAP
- CIFS server
- LDAP channel binding
Issue
- Machine account creation failed with
LDAP local error
when using Channel Binding for AD LDAP Connection
cluster1::> vserver active-directory create -account-name svm1 -domain ntap.local -ou OU=test,OU=netapp -vserver svm1
In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "OU=test,OU=netapp" container within the "NTAP.LOCAL" domain.
Enter the user name: <account>
Enter the password:
Error: Machine account creation procedure failed
[20336] Loaded the preliminary configuration.
[ 20361] Successfully connected to ip 10.10.10.11, port 88 using TCP
[20429] Successfully connected to ip 10.10.10.11, port 636 using TCP
[ 20719] Successfully connected to ip 10.10.10.11, port 88 using TCP
[ 20751] FAILURE: Unable to SASL bind to LDAP server using GSSAPI: Local error
[ 20751] Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
[ 20753]Unable to start LDAPS: Local error
[ 20753] Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
[ 20753] Unable to connect to LDAP (Active Directory) service on dc01.ntap.local (Error: Local error)
[ 20753] Unable to make a connection (LDAP (Active Directory):NTAP.LOCAL), result: 7643
Error: command failed: Failed to create the ActiveDirectory machine account "svm01". Reason: LDAP Error: Local error occurred.
SecD
shows LDAP SASL bind failed using Spenego with'Invalid credentials"
error, and reports"local error"
when using GSSAPI and channel binding
00000014.00099b77 0169eaf8 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.526.942] info : Successfully connected to ip 10.10.10.11, port 636 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:497 }
00000014.00099b78 0169eaf8 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.619.995] debug: ldap_sasl_bind_s returned 49 { in ldapSaslBindSpnego() at src/connection_manager/secd_connection.cpp:774 }
00000014.00099b79 0169eaf8 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.620.026] ERR : RESULT_ERROR_LDAPSERVER_INVALID_CREDENTIALS:7627 in ldapSaslBindSpnego() at src/connection_manager/secd_connection.cpp:780
00000014.00099b7a 0169eaf8 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.620.035] ERR : ldapSaslBindSpnego: LDAP Error: (49): 'Invalid credentials':
00000014.00099b7b 0169eaf8 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.620.517] debug: Invalid credentials. Trying with SIGN { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:1010 }
00000014.00099c19 0169eb00 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.786.549] info : [krb5 context 08CE2E00] Received answer from stream 10.10.10.11:88
00000014.00099c1a 0169eb00 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.786.597] info : [krb5 context 08CE2E00] TGS request result: -1765328377/Server not found in Kerberos database
00000014.00099c1b 0169eb00 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.786.830] ERR : LDAP SASL bind failed using GSSAPI and channel binding. Error: -2(Local error) { in ldapSaslBindGssapi() at src/connection_manager/secd_connection.cpp:633 }
00000014.00099c1c 0169eb00 Thu Sep 09 2022 14:40:04 +02:00 [kern_secd:info:10469] | [020.786.836] debug: Retrying bind without channel binding { in ldapSaslBindGssapi() at src/connection_manager/secd_connection.cpp:637 }