Modifying AES encryption for CIFS server fails with Kerberos Error: KDC has no support for encryption type

Last updated

Jul 18, 2024
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 7,956

Visibility:: Public

Votes:: 3

Category:: ontap-9

Specialty:: nas

Last Updated:: 7/18/2024, 10:50:37 AM

Applies to

ONTAP 9
Cloud Volume ONTAP (CVO)
CIFS

Issue

When trying to disable AES:

::> vserver cifs security modify -vserver vs1 -is-aes-encryption-enabled false

Info: In order to disable CIFS AES encryption, the password for the CIFS server machine account must be reset. Enter the

username and password for the CIFS domain "NASLAB.LOCAL".

Enter your user ID: administrator

Enter your password:

Error: command failed: Password update failed. Reason: Kerberos Error: KDC has no support for encryption type.

SECD log:
- SVM changes its machine account password in the AD when the AES security option is modified.
- SECD logs shows failure in TCP connection to AD-LDAP so the LDAP BIND fails.
- Since LDAP bind fails , SVM is unable to update msDS-SupportedEncryptionTypes for the CIFS server.
- Modifying CIFS security "is-aes-encryption-enabled" fails since the RPC call fails.

.-----------------------------------------------------------------------------.

|                                 RPC FAILURE:                                  |

|                    secd_rpc_ad_reset_password has failed   |

|                        Result = 0, RPC Result = 6942                 |

|                   RPC received at Mon Sep 21 06:33:28 2020|

|-----------------------------------------------------------------------------'

Failure Summary:

Error: CIFS server password reset procedure failed

  ...

  [  2286] Successfully connected to ip 10.xx.yy.2, port 88 using TCP

  [  4344] TCP connection to ip 10.aa.bb.10, port 389 via interface 10.aa.cc.dd failed: Operation timed out.

  [  4344] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server

  [  4344] Unable to connect to LDAP (Active Directory) service on dc1.naslab.local (Error: Can't contact LDAP server)

  [  4348] Successfully connected to ip 10.xx.yy.2, port 88 using TCP

  [  4491] Could not authenticate as 'VS1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)

  [  4494] Successfully connected to ip 10.xx.yy.2, port 88 using TCP

  [  6544] TCP connection to ip 10.aa.bb.11, port 389 via interface 10.aa.cc.dd failed: Operation timed out.

  [  6544] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server

  [  6544] Unable to connect to LDAP (Active Directory) service on dc2.naslab.local (Error: Can't contact LDAP server)

  [  6547] Successfully connected to ip 10.xx.yy.2, port 88 using TCP

  [  6732] Could not authenticate as 'VS1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)

  [  6735] Successfully connected to ip 10.xx.yy.2, port 88 using TCP

  [  8803] TCP connection to ip 10.aa.bb.3, port 389 via interface 10.aa.cc.dd failed: Operation timed out.

  [  8803] Unable to SASL bind to LDAP server using GSSAPI: Can't contact LDAP server

  [  8803] Unable to connect to LDAP (Active Directory) service on dc3.naslab.local (Error: Can't contact LDAP server)

  [  8803] Unable to make a connection (LDAP (Active Directory):SF.PRIV), result: 6942

  [  8803] Retry requested, but the retry window (7000 ms) has expired; giving up.

Command vserver cifs domain discovered-servers show -vserver vs1 shows MS-LDAP as Unavailable or Unreachable