2017-08-22 01:32 PM - edited 2017-08-22 01:34 PM
Seeing a lot of these errors in recent days. We had a complete shutdown for a few hours a couple of weeks ago for some maintenance. Only errors one of our 3 Win domain controllers. 1065 errors logged over the past 5 or 6 days. I don't notice any issues from this otherwise.
Message Name: secd.conn.auth.failure
Event: secd.conn.auth.failure: Vserver (vserver1) could not authenticate over the network to server (DC01). Error: Invalid credentials.
Corrective Action: Ensure that the server being accessed is up and responding to requests. Ensure that there are no networking issues stopping the Vserver from communicating with this server. If the error reported is related to an authentication attempt, ensure that any related configurable user credentials are set correctly.
Description: This message occurs when the Vserver cannot establish a TCP/UDP connection to or be authenticated by an outside server such as NIS, LSA, LDAP and KDC. Subsequently, some features of the storage system relying on this connection might not function correctly.
Solved! SEE THE SOLUTION
2017-08-22 05:15 PM
Have you configured onbox DNS load balancing? If so see this:
If not, have you verfied that you can ping the DC from the vservers LIF's and that it has a valid route? Assming you can't access the CIFS shares on your vserver?
Is ntp configured on the cluster and is the dns service configured on your vserver? Also is the vservers computer account enabled in AD?
Some example command sytnax to check:
cluster1::> services dns show -vserver vserver1 Vserver: vserver1 Domains: testlab.local Name Servers: 192.168.100.10 (DEPRECATED)-Enable/Disable DNS: enabled Timeout (secs): 2 Maximum Attempts: 1 cluster1::> ntp server show (cluster time-service ntp server show) Server Version ------------------------------ ------- time.testlab.local auto cluster1::> route show -vserver vserver1 Vserver Destination Gateway Metric ------------------- --------------- --------------- ------ vserver1 0.0.0.0/0 192.168.100.254 20 cluster1::> net int show -vserver vserver1 (network interface show) Logical Status Network Current Current Is Vserver Interface Admin/Oper Address/Mask Node Port Home ----------- ---------- ---------- ------------------ ------------- ------- ---- vserver1 vserver1_cifs_lif1 up/up 192.168.100.100/24 testc1n1 e0d true vserver1_mgmt_lif1 up/up 192.168.100.104/24 testc1n1 e0d true 2 entries were displayed. cluster1::> network ping -lif vserver1_mgmt_lif1 -vserver vserver1 -destination 192.168.100.10 192.168.100.10 is alive cluster1::> network ping -lif vserver1_cifs_lif1 -vserver vserver1 -destination 192.168.100.10 192.168.100.10 is alive C:\>dsquery computer -name vserver1 | dsget computer -disabled -sid -samid samid sid disabled VSERVER1$ S-1-5-21-3150332139-2813398079-754052488-1350 no dsget succeeded
Hope that helps
2017-08-23 06:46 AM
Thank you Matt for all of this information. Unfortunately, all of those commands work as expected.
vserver services name-service dns hosts show
The above command did show an error in our configuration that I am pretty certain we've corrected before. The DC listed and IP address for that DC did not match up though the IP address was an IP of another domain controller.
I honestly don't know why we configured this in the first place. It would explain why I only see errors for one of our 3 DCs as DC01 is the only host configured for the two SVMs reporting errors.
If our DNS servers are listed in the 'dns show' configuration, is there any need so specifiy them local? What is the use case for 'dns hosts create'?
2017-08-23 08:13 AM