古いONTAPがActive Directoryに参加できない

古いONTAP、具体的にはONTAP 8.3.2環境の移行案件があったので、検証のためにONTAP simulatorのONTAP 8.3.2版を仮想環境上に作成して、Active Directoryに参加しようとしたところ下記のエラーとなった。（なお、接続先Active Direcrotyはsamba 4.14.5で構成している)

1ontap832::> vserver cifs create -cifs-server share226 -domain adosakana.local -vserver share226
2 
3In order to create an Active Directory machine account for the CIFS server, you
4must supply the name and password of a Windows account with sufficient
5privileges to add computers to the "CN=Computers" container within the
6ADOSAKANA.LOCAL domain.
7 
8Enter the user name: administrator
9 
10Enter the password:
11 
12Error: Machine account creation procedure failed
13  [ 12154] Loaded the preliminary configuration.
14  [ 12332] Created a machine account in the domain
15  [ 12339] Successfully connected to 172.17.44.49:445 using TCP
16  [ 12351] Unable to connect to LSA service on
17           samba.adosakana.local (Error:
18           RESULT_ERROR_GENERAL_FAILURE)
19  [ 14357] TCP connection to 172.17.44.141:445 via interface
20           172.17.44.236 failed: (Operation timed out).
21  [ 14357] Could not open a socket to 'samba.adosakana.local'
22  [ 14357] Unable to connect to LSA service on
23           samba.adosakana.local (Error:
24           RESULT_ERROR_SPINCLIENT_UNABLE_TO_RESOLVE_SERVER)
25  [ 14357] No servers available for MS_LSA, vserver: 2, domain:
26           adosakana.local.
27**[ 14357] FAILURE: Unable to make a connection (LSA:adosakana.local),
28**         result: 6940
29  [ 14357] Could not find Windows SID
30           'S-1-5-21-937304154-1581684492-536532533-512'
31  [ 14381] Deleted existing account
32           'CN=SHARE226,CN=Computers,DC=adosakana,DC=local'
33 
34Error: command failed: Failed to create the Active Directory machine account
35       "SHARE226". Reason: SecD Error: no server available.
36 
37ontap832::>

これは暗号化の問題なので「vserver cifs security show」で設定項目を確認する。

1ontap832::> vserver cifs security show -vserver share226
2 
3Vserver: share226
4 
5                    Kerberos Clock Skew:                   - minutes
6                    Kerberos Ticket Age:                   - hours
7                   Kerberos Renewal Age:                   - days
8                   Kerberos KDC Timeout:                   - seconds
9                    Is Signing Required:                   -
10        Is Password Complexity Required:                   -
11   Use start_tls For AD LDAP connection:               false
12              Is AES Encryption Enabled:               false
13                 LM Compatibility Level:  lm-ntlm-ntlmv2-krb
14             Is SMB Encryption Required:                   -
15 
16ontap832::>

ONTAP 8.3.2無印では関連するオプション「SMB2 Enabled for DC Connections」を設定する項目が無い

1ontap832::> version -node *
2 
3ontap832-01:
4NetApp Release 8.3.2: Tue Feb 23 23:35:06 UTC 2016
5 
6 
7ontap832::>

アップデータを探したところ、832P12_q_image.tgz(リンク先はNetAppサポートサイトにログインを済ませてからアクセス) があったので、「ONTAP 9.7シミュレータをアップデートする手法」と同じ手法でアップデートを行った。

1ontap832::> version -node *
2 
3ontap832-01:
4NetApp Release 8.3.2P12: Mon Aug 14 02:57:01 UTC 2017
5 
6 
7ontap832::>

ONTAP 8.3.2P12であれば、「SMB2 Enabled for DC Connections」が存在していた。

1ontap832::> vserver cifs security show -vserver share226
2 
3Vserver: share226
4 
5                    Kerberos Clock Skew:                   - minutes
6                    Kerberos Ticket Age:                   - hours
7                   Kerberos Renewal Age:                   - days
8                   Kerberos KDC Timeout:                   - seconds
9                    Is Signing Required:                   -
10        Is Password Complexity Required:                   -
11   Use start_tls For AD LDAP connection:               false
12              Is AES Encryption Enabled:               false
13                 LM Compatibility Level:  lm-ntlm-ntlmv2-krb
14             Is SMB Encryption Required:                   -
15        SMB1 Enabled for DC Connections:                   -
16        SMB2 Enabled for DC Connections:                   -
17 
18ontap832::>

設定を変更

1ontap832::> vserver cifs security modify -vserver share226 -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
2 
3ontap832::> vserver cifs security show -vserver share226
4 
5Vserver: share226
6 
7                    Kerberos Clock Skew:                   - minutes
8                    Kerberos Ticket Age:                   - hours
9                   Kerberos Renewal Age:                   - days
10                   Kerberos KDC Timeout:                   - seconds
11                    Is Signing Required:                   -
12        Is Password Complexity Required:                   -
13   Use start_tls For AD LDAP connection:               false
14              Is AES Encryption Enabled:               false
15                 LM Compatibility Level:  lm-ntlm-ntlmv2-krb
16             Is SMB Encryption Required:                   -
17        SMB1 Enabled for DC Connections:               false
18        SMB2 Enabled for DC Connections:                true
19 
20ontap832::>

そして、Active Directoryへの参加

1ontap832::> vserver cifs create -cifs-server share226 -domain adosakana.local -vserver share226
2 
3In order to create an Active Directory machine account for the CIFS server, you
4must supply the name and password of a Windows account with sufficient
5privileges to add computers to the "CN=Computers" container within the
6ADOSAKANA.LOCAL domain.
7 
8Enter the user name: administrator
9 
10Enter the password:
11 
12Warning: An account by this name already exists in Active Directory at
13         CN=SHARE226,CN=Computers,DC=adosakana,DC=local
14         Ok to reuse this account? {y|n}: y
15 
16ontap832::>

今度は成功した。

コメントを残す コメントをキャンセル

コメントを残すコメントをキャンセル