Multiple PTRs for DC cause secd.ldap.noServers
Applies to
- ONTAP 9
- CIFS
- MS-LDAP/AD-LDAP
- Kerberos
Issue
- EMS:
::> event log show -event *secd.ldap.noServers* -severity *Time Node Severity Event------------------- ---------------- ------------- ---------------------------3/20/2023 13:47:47 cluster-n02 EMERGENCY secd.ldap.noServers: None of the LDAP servers configured for Vserver (svm1) are currently accessible via the network for LDAP service type (Service: LDAP (Active Directory), Operation: SiteDiscovery).3/20/2023 13:47:35 cluster-n01 EMERGENCY secd.ldap.noServers: None of the LDAP servers configured for Vserver (svm1) are currently accessible via the network for LDAP service type (Service: LDAP (Active Directory), Operation: SiteDiscovery).- get-dc-info fails intermittently:
::> set advWarning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.Do you want to continue? {y|n}: y::*> vserver services access-check authentication get-dc-info -node cluster-n01 -vserver svm1Error: command failed: RPC call to SecD failed. RPC: "SecD Error: no serveravailable". Reason: "".- MS-LDAP servers are unavailable:
::*> cifs domain discovered-servers show -node cluster-n01 -vserver svm1Node: cluster-n01Vserver: svm1
Domain Name Type Preference DC-Name DC-Address Status
--------------- -------- ---------- --------- --------------- ---------
naslab.local KERBEROS favored india10 10.xx.xx.245 undetermined
naslab.local KERBEROS favored india14 10.xx.xx.241 undetermined
naslab.local KERBEROS favored india33 169.21.252.203 undetermined
naslab.local MS-LDAP favored india10 10.xx.xx.245 unavailable
naslab.local MS-LDAP favored india14 10.xx.xx.241 unavailable
naslab.local MS-LDAP favored india33 169.xx.yy.203 unavailable
naslab.local MS-DC favored india10 10.xx.xx.245 undetermined
naslab.local MS-DC favored india14 10.xx.xx.241 undetermined
naslab.local MS-DC favored india33 169.xx.yy.203 OK- Client Session Security is set to Sign for AD-LDAP communication:
::*> cifs security show -vserver svm1 -fields session-security-for-ad-ldapvserver session-security-for-ad-ldap------- ----------------------------svm1 sign- SECD logs show SASL bind to LDAP server failing:
[kern_secd:info:9440] | [000.039.193] debug: ldap_sasl_interactive_bind_s returned -2 { in ldapSaslBindGssapi() at src/connection_manager/secd_connection.cpp:666 }[kern_secd:info:9440] | [000.039.200] ERR : Unable to SASL bind to LDAP server using GSSAPI: Local error { in ldapSaslBindGssapi() at src/connection_manager/secd_connection.cpp:670 }[kern_secd:info:9440] | [000.039.210] info : Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) { in ldapSaslBindGssapi() at src/connection_manager/secd_connection.cpp:673 }[kern_secd:info:9440] | [000.039.216] ERR : RESULT_ERROR_LDAPSERVER_LOCAL_ERROR:7643 in ldapSaslBindGssapi() at src/connection_manager/secd_connection.cpp:677[kern_secd:info:9440] | [000.039.221] ERR : ldapSaslBindGssapi: LDAP Error: (-2): 'Local error':- getxxbyyy gethostbyaddr returns different hostname for the DC IP when run multiple times:
::*> vserver services name-service getxxbyyy gethostbyaddr -node cluster-n01 -vserver svm1 -ipaddress 10.xx.xx.245(vserver services name-service getxxbyyy gethostbyaddr)IP address: 10.xx.xx.245Host name: india10.naslab.localAlias: NASLAB.naslab.localAlias: gc._msdcs.naslab.local::*> vserver services name-service getxxbyyy gethostbyaddr -node cluster-n01 -vserver svm1 -ipaddress 10.xx.xx.245IP address: 10.xx.xx.245Host name: NASLAB.naslab.localAlias: india10.naslab.localAlias: gc._msdcs.naslab.local::*> vserver services name-service getxxbyyy gethostbyaddr -node cluster-n01 -vserver svm1 -ipaddress 10.xx.xx.245IP address: 10.xx.xx.245Host name: gc._msdcs.naslab.localAlias: india10.naslab.localAlias: NASLAB.naslab.local