"SecD Error: no server available" when modifying AES encryption for CIFS server, because PTR record is missing

Applies to

• ONTAP 9.7
• CIFS

Issue

• Attempting to modify or add permission from the security tab the following error is received on the Windows SMB client.

“The program cannot open the required dialog box because it cannot determine whether the computer named “cifs -server” is joined to a domain. Close this message, and try again.”

• Creation of new CIFS server is also failing.
• Setting is-aes-encryption-enabled to false fails

::> cifs security modify -vserver svm1 -is-aes-encryption-enabled false
Info: In order to disable CIFS AES encryption, the password for the CIFS server machine account must be reset. Enter the username and password for the CIFS domain
      "NASLAB.LOCAL".
Enter your user ID: administrator
Enter your password:
Error: command failed: Password update failed. Reason: SecD Error: no server available.

• secd:

.------------------------------------------------------------------------------.
|                                 RPC FAILURE:                                 |
|                      secd_rpc_ad_get_dc_info has failed                      |
|                        Result = 0, RPC Result = 6940                         |
|                   RPC received at Thu Sep 24 13:42:26 2020                   |
|------------------------------------------------------------------------------'
Failure Summary:
Error: Get DC Info procedure failed
  [  0 ms] No servers available for MS_LDAP_AD, vserver: 2, domain: naslab.local.
  [     2] Successfully connected to ip 10.xx.yy.191, port 389 using TCP
  [     4] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
  [    20] Successfully connected to ip 10.xx.yy.191, port 389 using TCP
  [    21] Entry for host-address: 10.xx.yy.191 not found in the current source: FILES. Ignoring and trying next available source
  [    22] Source: DNS unavailable. Entry for host-address:10.xx.yy.191 not found in any of the available sources
**[    22] FAILURE: Unable to SASL bind to LDAP server using GSSAPI: Local error
  [    22]   Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot determine realm for numeric host address)
  [    23] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
  [    57] Could not authenticate as 'SVM1$@NASLAB.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)
  [    57] Unable to connect to LDAP (Active Directory) service on win-aesid9bf636.naslab.local (Error: Local error)
  [    57] No servers available for MS_LDAP_AD, vserver: 2, domain: naslab.local.
  [    57] Unable to make a connection (LDAP (Active Directory):NASLAB.LOCAL), result: 6940

• EMS:

cluster-01   DEBUG         secd.unexpectedFailure: vserver (svm1) Unexpected failure. Error: CIFS server password change procedure failed
  [  2 ms] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
  [     4] Successfully connected to ip 10.xx.yy.191, port 88 using TCP
**[     6] FAILURE: CIFS server could not authenticate as 'SVM1$@NASLAB.LOCAL': Generic preauthentication failure (KRB5_PREAUTH_FAILED)

8/7/2024 15:58:01   node01      ERROR         secd.unexpectedFailure: Unexpected SecD failure in Vserver "PINTAIL3_dest". Details: Error: Get DC Info procedure failed
CIFS Domain Query via LSAR_DS_ROLE_GET_DOMAIN_INFO - Client Ip = 10.2xx.xc.xc User = xcx\Sebxcvcc
  [ 2089] Successfully connected to ip 10.10.2xx.xx, port 88 using TCP
  [  2107] Successfully connected to ip 10.1x2xx.1xx, port 389 using TCP
  [  2108] Source: DNS unavailable. Ignoring and trying next available source for host-address: 10.10.2xx.1xx
  [  2108] Entry for host-address: 10.10.2xx.1xx not found in the current source: FILES. Entry for host-address: 10.10.2xx.1xx not found in any of the available sources

• AD-LDAP connection is set to use sign (Client Session Security)

::> cifs security show -vserver svm1 -fields session-security-for-ad-ldap
vserver   session-security-for-ad-ldap
--------- ----------------------------
svm1       sign

• AD-LDAP (preferred DC) connection is unavailable/undetermined

::> vserver cifs domain discovered-servers show
Node: cluster-01
Vserver: svm1
Domain Name     Type     Preference DC-Name         DC-Address      Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local    KERBEROS preferred  win-aesid9bf636 10.xx.yy.191   undetermined
naslab.local    MS-LDAP  preferred  win-aesid9bf636 10.xx.yy.191   unavailable
naslab.local    MS-DC    preferred  win-aesid9bf636 10.xx.yy.191   OK

• Discovery mode is already set to none (use the preferred DC's only)

::> set adv
::*> vserver cifs domain discovered-servers discovery-mode show -vserver svm1
              Vserver: svm1
Server Discovery Mode: none  

• get-dc info fails 

::> set adv
::*> vserver services access-check authentication get-dc-info -vserver svm1
Error: command failed: RPC call to SecD failed. RPC: "SecD Error: no server available".  Reason: "".

• Reverse lookup for DC fails

::> set adv
::*> vserver services name-service getxxbyyy gethostbyaddr -vserver svm1 -ipaddress 10.xx.yy.191
Error: command failed: Failed to resolve 10.xx.yy.191. Reason: Unknown host.

• Traces show DNS responding No such name

57    05:24:18.155 0.001194000 10.xx.yy.18  10.xx.yy.191 30946,53 DNS Standard query 0x86d9 PTR 191.yy.xx.10.in-addr.arpa
58    05:24:18.157 0.001903000 10.xx.yy.191 10.xx.yy.18  53,30946 DNS Standard query response 0x86d9 No such name PTR 191.yy.xx.10.in-addr.arpa SOA dc91.naslab.local

• session-security-for-ad-ldap to seal/sign