General Discussion

Message: secd.lsa.noServers: None of the LSA servers configured

MessagesecdlsanoServe
25,749 Views

secd.netlogon.noServers: None of the Netlogon servers configured for Vserver

 

This was an easy fix, scouring the web for answers made it more difficult.

Scenario- Transition from 2012 Active Directory to 2019 Active Directory.

 

Run this command #vserver cifs security show -vserver servername

 
Vserver: image1
                    Kerberos Clock Skew:                   - minutes
                    Kerberos Ticket Age:                   - hours
                   Kerberos Renewal Age:                   - days
                   Kerberos KDC Timeout:                   - seconds
                    Is Signing Required:                   -
        Is Password Complexity Required:                   -
   Use start_tls for AD LDAP connection:               false
              Is AES Encryption Enabled:               false
                 LM Compatibility Level:  lm-ntlm-ntlmv2-krb
             Is SMB Encryption Required:                   -
                Client Session Security:                none
        SMB1 Enabled for DC Connections:      system-default
        SMB2 Enabled for DC Connections:      system-default
If you see system-default for the SMB1 and SMB2 settings SMB2 is disabled
This is why your Netapps will not communicate with Active Directory.
Run this command****
vserver cifs security modify -vserver servername -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
Output should show
Vserver: image1
                    Kerberos Clock Skew:                   - minutes
                    Kerberos Ticket Age:                   - hours
                   Kerberos Renewal Age:                   - days
                   Kerberos KDC Timeout:                   - seconds
                    Is Signing Required:                   -
        Is Password Complexity Required:                   -
   Use start_tls for AD LDAP connection:               false
              Is AES Encryption Enabled:               false
                 LM Compatibility Level:  lm-ntlm-ntlmv2-krb
             Is SMB Encryption Required:                   -
                Client Session Security:                none
        SMB1 Enabled for DC Connections:               false
        SMB2 Enabled for DC Connections:                true
1 ACCEPTED SOLUTION

widelinks
20,474 Views

Adding point to above inputs:

 

From 9.3 cifs architecture has changed and default protocol will be used highest SMB version to communcate for AD connections.  Below KBs might be helpful for quick reference.   Also, there is a known bug below shared KB listing and as per the last update though it says fix available in 9.6, came to know fix is not available even in 9.6p12.   Hence if there is similar alerts please, please take confirmation from netapp to reproduce the issue in their lab. 

 

EMS error: secd.*.noServers:EMERGENCY - NetApp Knowledge Base

 

We were seeing other secd alerts related to lsa, ldap even in 9.7p12.  There is some service which is actually trying to contact AD and it is failing.  which lead to the alerts.   Just sharing for your reference.   Any update or workaround or fix available....please keep posting friends.

 

Periodic secd.ldap.noServers error messages in EMS after modifying "cifs security" set incorrectly to use start-TLS and port 636 - NetApp Knowledge Ba...

From 9.3 LDAPS will be in disabled state by default.  Need to understand if we will enable this option as per above article any impact to current active operations on the SVM serving CIFS shares, when LDAP client is not configured to use AD LDAP.

 

"secd.ldap.noServers" in EMS when using SSL/TLS - NetApp Knowledge Base

 

Yet to verify or reproduce the issue by engineering team with below environments:

1)AD servers window2016 *5 qty

Configure SVM with Active directory.

No AD ldap or ldap client configured required.

No preferred DCs were configured.

 

2)AD server with windows2008 and windows2016

Configure SVM with Active directory.

No AD ldap or ldap client configured.

No preferred DCs were configured.

View solution in original post

3 REPLIES 3

Rahul5
25,312 Views

Good research. Additionally, default settings for SMB 1.0 and 2.0 connections to domain controllers also depend on the ONTAP version. The system default for ONTAP 9.1 is enabled for SMB 1.0 and disabled for SMB 2.0. The system default for ONTAP 9.2 is enabled for SMB 1.0 and enabled for SMB 2.0. If the domain controller cannot negotiate SMB 2.0 initially, it uses SMB 1.0.

widelinks
20,475 Views

Adding point to above inputs:

 

From 9.3 cifs architecture has changed and default protocol will be used highest SMB version to communcate for AD connections.  Below KBs might be helpful for quick reference.   Also, there is a known bug below shared KB listing and as per the last update though it says fix available in 9.6, came to know fix is not available even in 9.6p12.   Hence if there is similar alerts please, please take confirmation from netapp to reproduce the issue in their lab. 

 

EMS error: secd.*.noServers:EMERGENCY - NetApp Knowledge Base

 

We were seeing other secd alerts related to lsa, ldap even in 9.7p12.  There is some service which is actually trying to contact AD and it is failing.  which lead to the alerts.   Just sharing for your reference.   Any update or workaround or fix available....please keep posting friends.

 

Periodic secd.ldap.noServers error messages in EMS after modifying "cifs security" set incorrectly to use start-TLS and port 636 - NetApp Knowledge Ba...

From 9.3 LDAPS will be in disabled state by default.  Need to understand if we will enable this option as per above article any impact to current active operations on the SVM serving CIFS shares, when LDAP client is not configured to use AD LDAP.

 

"secd.ldap.noServers" in EMS when using SSL/TLS - NetApp Knowledge Base

 

Yet to verify or reproduce the issue by engineering team with below environments:

1)AD servers window2016 *5 qty

Configure SVM with Active directory.

No AD ldap or ldap client configured required.

No preferred DCs were configured.

 

2)AD server with windows2008 and windows2016

Configure SVM with Active directory.

No AD ldap or ldap client configured.

No preferred DCs were configured.

Shahbaz
2,849 Views

What if the Vserver only supports NFS configuration and doesn't need SMB to be enabled?

 

Public