Unable to authenticate to AD Domain after adding new route to ONTAP SVM

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 26

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9
CIFS/SMB
Domain Tunnel

Issue

After adding a new default route (gateway) to a vserver (SVM), authentication to ONTAP via CIFS/SMB fails.
The SVM hosting the domain tunnel cannot communicate with Active Directory Domain Controllers (AD DCs), resulting in authentication and login failures for AD accounts.
Users are unable to provision NAS from Trident, impacting production.
When only the original default route is present, connectivity and authentication work.
When a second default route is added, the SVM becomes unreachable, and the CIFS check command shows the service as down.
Secd logs show errors such as:

[14054] FAILURE: Could not authenticate as ‘user@DOMAIN’:Cannot contact any KDC for requested realm (KRB5_KDC_UNREACH) [16054] TCP connection to ip 10.x.x.x, port 445 failed: Operation timed out.[16056] No servers available for MS_NETLOGON:vserver:6, domain:domain.local. [16056] Unable to make a connection (NetLogon:DOMAIN.LOCAL)RESULT_ERROR_SECD_NO_SERVER_AVAILABLE [16056] secd.conn.auth.failure: Vserver(vservername) could not make a connection over the network to server(dc-name.domain.local). [14022] FAILURE: Could not authenticate as ‘svc_account@DOMAIN’: Cannot contactany KDC for requested realm (KRB5_KDC_UNREACH)