Hi Jan

Have you found a Solution for this?

TIA

Thomas

Hi,

check the CIFS security option "Use start_tls for AD LDAP connection"

"cifs security show -vserver <svm>"  

If that is enabled, try disabling it and re-running cifs setup. Alternately check the certificate is valid.

/Matt

Hi Matt

Use start_tls for AD LDAP connection was enabled and the certificate is imported. Before the upgrade from 8.3xxx to 9.1P9 it worked without Problems.

Our Workaround was to enable LDAP signing/sealing (Client Session Security = seal) and disable the options "start_tls for AD LDAP connection".

Now the access works, but our DC admins see sometimes following error in the event log:

Event Description: The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

So my thoughts was to enable "start_tls for AD LDAP connection" simultaneously to elimate the DC errors, but when I enable this I can't connect to DC anymore.

cifs security modify -vserver svm1 -use-start-tls-for-ad-ldap true

diag secd authentication get-dc-info -node node1 -vserver svm1

Error: command failed: RPC call to SecD failed. RPC: "SecD Error: no server available".  Reason: "".

regards

Thomas

Hi

We have found our Problem:

On the DC we seen following Error:

On the DCs more than one certificate is installed. I installed the second certificate on the svm (security certificate install -type server-ca -vserver svm1).

After that i have reenabled the Option "use-start-tls-for-ad-ldap" and voila it worked again.

regards

Thomas

Hi Thomas,

That makes sense, I looked into some internal KB articles which suggested a mismatched Server CA certificate between what the LDAP servers are using and the one that is installed for the SVM/CIFS server. If TLS is required then check the SVM certificate is correct.

/Matt

Hi

how to check that the certificate is correct? We have deleted and installed the cert again. It didn't help.

If you seatch for error message

Additional info: error:14090086:lib(20):func(144):reason(134)

it is about the cert trust. How to trouble shoot it on both sides - netapp and AD?

Thank you

Jan

Hi

We have following Situation:

In the personal certification store on the DC server we have certificates issued by the company CA, which we have installed also in the svm (security certificate install). With this combination we encountered "Additional info: error:14090086:lib(20):func(144):reason(134)" Errors. Subsequently we installed also the certificate issued by Domain CA in the svm.

security certificate show -vserver svm1
Vserver    Serial Number   Common Name                            Type
---------- --------------- -------------------------------------- ------------
svm1 06FFCFFAC88CB9B34454E628858B0FC2 company CA      server-ca
    Certificate Authority: company CA
          Expiration Date:

svm1 5F4CC1BFA244B7BF4301062863ABF4A2 domain CA             server-ca
    Certificate Authority: domain CA
          Expiration Date:

After that LDAP over TLS works without problems.

I hope this helps

Thomas