古いONTAP、具体的にはONTAP 8.3.2環境の移行案件があったので、検証のためにONTAP simulatorのONTAP 8.3.2版を仮想環境上に作成して、Active Directoryに参加しようとしたところ下記のエラーとなった。(なお、接続先Active Direcrotyはsamba 4.14.5で構成している)
1 | ontap832::> vserver cifs create -cifs-server share226 -domain adosakana.local -vserver share226 |
3 | In order to create an Active Directory machine account for the CIFS server, you |
4 | must supply the name and password of a Windows account with sufficient |
5 | privileges to add computers to the "CN=Computers" container within the |
8 | Enter the user name: administrator |
12 | Error: Machine account creation procedure failed |
13 | [ 12154] Loaded the preliminary configuration. |
14 | [ 12332] Created a machine account in the domain |
15 | [ 12339] Successfully connected to 172.17.44.49:445 using TCP |
16 | [ 12351] Unable to connect to LSA service on |
17 | samba.adosakana.local (Error: |
18 | RESULT_ERROR_GENERAL_FAILURE) |
19 | [ 14357] TCP connection to 172.17.44.141:445 via interface |
20 | 172.17.44.236 failed: (Operation timed out). |
21 | [ 14357] Could not open a socket to 'samba.adosakana.local' |
22 | [ 14357] Unable to connect to LSA service on |
23 | samba.adosakana.local (Error: |
24 | RESULT_ERROR_SPINCLIENT_UNABLE_TO_RESOLVE_SERVER) |
25 | [ 14357] No servers available for MS_LSA, vserver: 2, domain: |
27 | **[ 14357] FAILURE: Unable to make a connection (LSA:adosakana.local), |
29 | [ 14357] Could not find Windows SID |
30 | 'S-1-5-21-937304154-1581684492-536532533-512' |
31 | [ 14381] Deleted existing account |
32 | 'CN=SHARE226,CN=Computers,DC=adosakana,DC=local' |
34 | Error: command failed: Failed to create the Active Directory machine account |
35 | "SHARE226". Reason: SecD Error: no server available. |
これは暗号化の問題なので「vserver cifs security show」で設定項目を確認する。
1 | ontap832::> vserver cifs security show -vserver share226 |
5 | Kerberos Clock Skew: - minutes |
6 | Kerberos Ticket Age: - hours |
7 | Kerberos Renewal Age: - days |
8 | Kerberos KDC Timeout: - seconds |
10 | Is Password Complexity Required: - |
11 | Use start_tls For AD LDAP connection: false |
12 | Is AES Encryption Enabled: false |
13 | LM Compatibility Level: lm-ntlm-ntlmv2-krb |
14 | Is SMB Encryption Required: - |
ONTAP 8.3.2無印では関連するオプション「SMB2 Enabled for DC Connections」を設定する項目が無い
1 | ontap832::> version -node * |
4 | NetApp Release 8.3.2: Tue Feb 23 23:35:06 UTC 2016 |
アップデータを探したところ、832P12_q_image.tgz(リンク先はNetAppサポートサイトにログインを済ませてからアクセス) があったので、「ONTAP 9.7シミュレータをアップデートする手法」と同じ手法でアップデートを行った。
1 | ontap832::> version -node * |
4 | NetApp Release 8.3.2P12: Mon Aug 14 02:57:01 UTC 2017 |
ONTAP 8.3.2P12であれば、「SMB2 Enabled for DC Connections」が存在していた。
1 | ontap832::> vserver cifs security show -vserver share226 |
5 | Kerberos Clock Skew: - minutes |
6 | Kerberos Ticket Age: - hours |
7 | Kerberos Renewal Age: - days |
8 | Kerberos KDC Timeout: - seconds |
10 | Is Password Complexity Required: - |
11 | Use start_tls For AD LDAP connection: false |
12 | Is AES Encryption Enabled: false |
13 | LM Compatibility Level: lm-ntlm-ntlmv2-krb |
14 | Is SMB Encryption Required: - |
15 | SMB1 Enabled for DC Connections: - |
16 | SMB2 Enabled for DC Connections: - |
設定を変更
1 | ontap832::> vserver cifs security modify -vserver share226 -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true |
3 | ontap832::> vserver cifs security show -vserver share226 |
7 | Kerberos Clock Skew: - minutes |
8 | Kerberos Ticket Age: - hours |
9 | Kerberos Renewal Age: - days |
10 | Kerberos KDC Timeout: - seconds |
11 | Is Signing Required: - |
12 | Is Password Complexity Required: - |
13 | Use start_tls For AD LDAP connection: false |
14 | Is AES Encryption Enabled: false |
15 | LM Compatibility Level: lm-ntlm-ntlmv2-krb |
16 | Is SMB Encryption Required: - |
17 | SMB1 Enabled for DC Connections: false |
18 | SMB2 Enabled for DC Connections: true |
そして、Active Directoryへの参加
1 | ontap832::> vserver cifs create -cifs-server share226 -domain adosakana.local -vserver share226 |
3 | In order to create an Active Directory machine account for the CIFS server, you |
4 | must supply the name and password of a Windows account with sufficient |
5 | privileges to add computers to the "CN=Computers" container within the |
8 | Enter the user name: administrator |
12 | Warning: An account by this name already exists in Active Directory at |
13 | CN=SHARE226,CN=Computers,DC=adosakana,DC=local |
14 | Ok to reuse this account? {y|n}: y |
今度は成功した。