ONTAP Discussions

connection with kerberos authentication suddenly denide

yb
1,996 Views

I have a Freeipa server, that also runs LDAP and DNS. Our Ontap uses the information to verify kerberos user credential.

 

It has worked well for me 3 month or so.

But today, all nfs clients using kerberos authentication denied to access to the ontap storage.

 

I found this error message that has raised since 1am today.

 

 

secd.ldap.noServers: None of the LDAP servers configured for Vserver (vs1) are currently accessible via the network for LDAP service type (Service: LDAP (NIS & Name Mapping), Operation: GetUserInfoFromName).

 

 

So I believe they are related. Unfortunately, I don't know why it happened and how can I recover from it.

 

From ssh shell in Ontap, I checked with this command.

 

ldap check -vserver {vserver}

 

 

At the very first time it gave me an error. I ran 'ldapsearch' from our Freeipa server and it raise "GSSAPI" error.

I ran 'kinit admin' on the idm server. After that 'ldapsearch' successfully returns ldap information, and 'ldap check' returns normal status again.

 

But still got the above error once an hour. Still kerberos user cannot access.

 

Please give me some light. Thanks!

 

 

 

1 ACCEPTED SOLUTION
yb has accepted the solution

Ontapforrum
1,968 Views

Could you check the following kbs, I don't know which one is relevant to your issue but as you said - it suddenly stopped so there must be something that has caused it. I am hoping the clock is in sync, b'cos Kerberos is time-sensitive. So ensure your NTP, FreeIPA client and Storage is within 5 mnt offset.

Unable to authenticate to Cluster using FreeIPA LDAP:
https://kb.netapp.com/onprem/ontap/da/NAS/Unable_to_authenticate_to_Cluster_using_FreeIPA_LDAP

 

secd.ldap.noServers: None of the LDAP servers configured for Vserver (vs1) are currently accessible via the network for LDAP service type
https://kb.netapp.com/onprem/ontap/da/NAS/secd.ldap.noServers%3A_None_of_the_LDAP_servers_configured_for_Vserver_seen_in_the_log#:~:text=Preferred%20L....

 


secd.ldap.noServers messages every 4 hours during domain discovery
https://kb.netapp.com/onprem/ontap/da/NAS/secd.ldap.noServers_messages_every_4_hours_during_domain_discovery

 

"secd.ldap.noServers" in EMS when using SSL/TLS

https://kb.netapp.com/onprem/ontap/da/NAS/%22secd.ldap.noServers%22_in_EMS_when_using_SSL%2F%2F%2F%2FTLS

 

https://whyistheinternetbroken.wordpress.com/2020/03/24/nfs-kerberos-ontap-freeipa/

 

View solution in original post

2 REPLIES 2
yb has accepted the solution

Ontapforrum
1,969 Views

Could you check the following kbs, I don't know which one is relevant to your issue but as you said - it suddenly stopped so there must be something that has caused it. I am hoping the clock is in sync, b'cos Kerberos is time-sensitive. So ensure your NTP, FreeIPA client and Storage is within 5 mnt offset.

Unable to authenticate to Cluster using FreeIPA LDAP:
https://kb.netapp.com/onprem/ontap/da/NAS/Unable_to_authenticate_to_Cluster_using_FreeIPA_LDAP

 

secd.ldap.noServers: None of the LDAP servers configured for Vserver (vs1) are currently accessible via the network for LDAP service type
https://kb.netapp.com/onprem/ontap/da/NAS/secd.ldap.noServers%3A_None_of_the_LDAP_servers_configured_for_Vserver_seen_in_the_log#:~:text=Preferred%20L....

 


secd.ldap.noServers messages every 4 hours during domain discovery
https://kb.netapp.com/onprem/ontap/da/NAS/secd.ldap.noServers_messages_every_4_hours_during_domain_discovery

 

"secd.ldap.noServers" in EMS when using SSL/TLS

https://kb.netapp.com/onprem/ontap/da/NAS/%22secd.ldap.noServers%22_in_EMS_when_using_SSL%2F%2F%2F%2FTLS

 

https://whyistheinternetbroken.wordpress.com/2020/03/24/nfs-kerberos-ontap-freeipa/

 

yb
1,930 Views

@Ontapforrum Thank you again for your advice!

 

Actually I haven't set an ntp server for kerberos authentication at all. Because we didn't block internet in our studio, I thought it would be ok.

 

I guess the time set originally in ontap skewed ever since then.

 

After I set up the ntp server, everything is back to working!

 

 

Public