Solved: Authentication issues to Domain Controller

bsnyder27 · ‎2017-08-22

Seeing a lot of these errors in recent days. We had a complete shutdown for a few hours a couple of weeks ago for some maintenance. Only errors one of our 3 Win domain controllers. 1065 errors logged over the past 5 or 6 days. I don't notice any issues from this otherwise.

Severity: ERROR
Source: secd
Message Name: secd.conn.auth.failure
Event: secd.conn.auth.failure: Vserver (vserver1) could not authenticate over the network to server (DC01). Error: Invalid credentials.
Corrective Action: Ensure that the server being accessed is up and responding to requests. Ensure that there are no networking issues stopping the Vserver from communicating with this server. If the error reported is related to an authentication attempt, ensure that any related configurable user credentials are set correctly.
Description: This message occurs when the Vserver cannot establish a TCP/UDP connection to or be authenticated by an outside server such as NIS, LSA, LDAP and KDC. Subsequently, some features of the storage system relying on this connection might not function correctly.

mbeattie · ‎2017-08-22

Hi,

Have you configured onbox DNS load balancing? If so see this:

https://kb.netapp.com/support/s/article/ka11A0000008kASQAY/Connection-failure-with-Domain-Controllers

If not, have you verfied that you can ping the DC from the vservers LIF's and that it has a valid route? Assming you can't access the CIFS shares on your vserver?

Is ntp configured on the cluster and is the dns service configured on your vserver? Also is the vservers computer account enabled in AD?

Some example command sytnax to check:

cluster1::> services dns show -vserver vserver1

                        Vserver: vserver1
                        Domains: testlab.local
                   Name Servers: 192.168.100.10
(DEPRECATED)-Enable/Disable DNS: enabled
                 Timeout (secs): 2
               Maximum Attempts: 1

cluster1::> ntp server show
  (cluster time-service ntp server show)
Server                         Version
------------------------------ -------
time.testlab.local             auto

cluster1::> route show -vserver vserver1
Vserver             Destination     Gateway         Metric
------------------- --------------- --------------- ------
vserver1
                    0.0.0.0/0       192.168.100.254 20

cluster1::> net int show -vserver vserver1
  (network interface show)
            Logical    Status     Network            Current       Current Is
Vserver     Interface  Admin/Oper Address/Mask       Node          Port    Home
----------- ---------- ---------- ------------------ ------------- ------- ----
vserver1
            vserver1_cifs_lif1
                         up/up    192.168.100.100/24 testc1n1      e0d     true
            vserver1_mgmt_lif1
                         up/up    192.168.100.104/24 testc1n1      e0d     true
2 entries were displayed.

cluster1::> network ping -lif vserver1_mgmt_lif1 -vserver vserver1 -destination 192.168.100.10
192.168.100.10 is alive

cluster1::> network ping -lif vserver1_cifs_lif1 -vserver vserver1 -destination 192.168.100.10
192.168.100.10 is alive

C:\>dsquery computer -name vserver1 | dsget computer -disabled -sid -samid
  samid        sid                                              disabled
  VSERVER1$    S-1-5-21-3150332139-2813398079-754052488-1350    no
dsget succeeded

Hope that helps

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

bsnyder27 · ‎2017-08-23

Thank you Matt for all of this information. Unfortunately, all of those commands work as expected.

vserver services name-service dns hosts show

The above command did show an error in our configuration that I am pretty certain we've corrected before. The DC listed and IP address for that DC did not match up though the IP address was an IP of another domain controller.

I honestly don't know why we configured this in the first place. It would explain why I only see errors for one of our 3 DCs as DC01 is the only host configured for the two SVMs reporting errors.

If our DNS servers are listed in the 'dns show' configuration, is there any need so specifiy them local? What is the use case for 'dns hosts create'?

bsnyder27 · ‎2017-08-23

So as it turned out, having the IP mismatch to the hostname in this 'dns hosts' configuration was causing these errors. Once I corrected it, the errors subsided. Still curious as to what this feature is for aside from creating a number of aliases for an IP address that are not records in DNS already.

View solution in original post

Authentication issues to Domain Controller

Re: Authentication issues to Domain Controller

Re: Authentication issues to Domain Controller

Re: Authentication issues to Domain Controller