Operations using Secure LDAP fail, due to (enforced) ChannelBinding
Applies to
- ONTAP 9
- Microsoft LDAP server
- Secure LDAP
- LDAPS
- Start-TLS
Issue
- Operations which require an LDAP connection between ONTAP and the MS LDAP Server (AD site discovery for instance) fail.
- Changing ACL on a file (error message on Windows client side)
cannot determine whether the computer is joined to a domain
- Enabling LDAP client on port 636 with
vserver services name-service ldap client modifyfails -
LDAP server requires a user bind parameter to be set
[-bind-dn <ldap_dn>] - Bind DN (User) - In the EMS and SECD logs
Invalid credentials, which seem to be related to the failure when initiating the secure LDAP connection.
EMS:
secd: secd.conn.auth.failure:notice]: Vserver (<vserver>) could not authenticate over the network to server (). Error: Invalid credentials (Service: LDAP (Active Directory), Operation: SiteDiscovery).- Depending on whether LDAPS or START-TLS is used, it will manifest itself in the SECD logs slightly different.
SECD (LDAPS for AD LDAP connection)
00000013.007e944b 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] Failure Summary:00000013.007e944c 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] Error: User authentication procedure failed00000013.007e944d 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] CIFS SMB2 Share mapping - Client Ip = 1.2.3.400000013.007e944e 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] ...00000013.007e944f 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 9988] Successfully connected to ip 1.2.3.51, port 636 using TCP00000013.007e9450 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 10202] Unable to start LDAPS: Invalid credentials00000013.007e9451 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 10202] Additional info: 80090346: LdapErr: DSID-0C090588, comment: AcceptSecurityContext error, data 80090346, v258000000013.007e9452 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 10202] Unable to connect to LDAP (Active Directory) service on <server.domain> (Error: Invalid credentials)
up.SECD (START-TLS for AD LDAP connection)
00000013.007e944b 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] Failure Summary:00000013.007e944c 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] Error: User authentication procedure failed00000013.007e944d 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] CIFS SMB2 Share mapping - Client Ip = 1.2.3.400000013.007e944e 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] ...00000013.007e944f 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 9988] Successfully connected to ip 1.2.3.51, port 389 using TCP00000013.007e9450 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 10202] Unable to start LDAPS: Invalid credentials00000013.007e9452 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 10202] Unable to connect to LDAP (Active Directory) service on <server.domain> (Error: Invalid credentials)