SSH login to cluster using users from CIFS sevrer's trusted domain times out

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 172

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9.10.1 onwards
SSH
Domain-tunnel Authentication

Issue

When a user from CIFS server trusted domain tries to SSH to ONTAP cluster it times out or takes long time to authenticate

NOTE : This SSH login timout issue is not seen for users from same domain as the CIFS server domain.

EMS log shows :

cluster-01 ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: cluster, username: <trusted_domain>\<user>, application:  ssh.

cluster-01 ERROR sshd.loginGraceTime.expired: Timeout before password authentication for remote host 10.xx.xx.xx.

"cifs domain trust show -vserver <svm>" for the data SVM which is used for domain-tunnel shows trusted domain. Home domain is NASLAB.LOCAL and trusted domain is INDIALAB.LOCAL.

cdot_vsim_9_8::> cifs domain trusts show -vserver vs1 Node: cdot_vsim_9_8-01 Vserver: vs1 Home Domain Trusted Domains ------------------------------ ------------------------------------------------ NASLAB.LOCAL INDIA.NASLAB.LOCAL, BLR.NASLAB.LOCAL, INDIALAB.LOCAL, NASLAB.LOCAL

Out of 3 DNS server's configured, first 2 DNS servers didn't respond to srv lookup query.
ONTAP was not caching the Trusted domain DC's resulting in lots of DNS queries sent to DNS server.