# ldapsearch -x -D "cn=administrator,cn=users,dc=adsample,dc=local" -w "パスワード" -H ldap://192.168.122.10 -b "CN=testuser1,CN=Users,DC=adsample,dc=local" -s base
ldap_bind: Strong(er) authentication required (8)
additional info: 00002028: LdapErr: DSID-0C0903CB, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v65f4
#
# openssl s_client -connect 192.168.122.10:636
Connecting to 192.168.122.10
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 302 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
#
[global]
<略>
allow nt4 crypto = yes
reject md5 clients = no
server reject md5 schannel = no
server schannel = yes
server schannel require seal = no
<略>
ontap91::> vserver cifs create -cifs-server svm91 -domain ADOSAKANA.LOCAL
In order to create an Active Directory machine account for the CIFS server, you
must supply the name and password of a Windows account with sufficient
privileges to add computers to the "CN=Computers" container within the
"ADOSAKANA.LOCAL" domain.
Enter the user name: administrator
Enter the password:
Warning: An account by this name already exists in Active Directory at
CN=SVM91,CN=Computers,DC=adosakana,DC=local.
If there is an existing DNS entry for the name SVM91, it must be
removed. Data ONTAP cannot remove such an entry.
Use an external tool to remove it after this command completes.
Ok to reuse this account? {y|n}: y
Error: command failed: Failed to create CIFS server SVM91. Reason:
create_with_lug: RPC: Unable to receive; errno = Connection reset by
peer; netid=tcp fd=17 TO=600.0s TT=0.119s O=224b I=0b CN=113/3 VSID=-3
127.0.0.1:766.
ontap91::>
ONTAP 9.1P22 シミュレーター
ontap91::> vserver cifs create -cifs-server svm91 -domain ADOSAKANA.LOCAL
In order to create an Active Directory machine account for the CIFS server, you
must supply the name and password of a Windows account with sufficient
privileges to add computers to the "CN=Computers" container within the
"ADOSAKANA.LOCAL" domain.
Enter the user name: administrator
Enter the password:
Error: Machine account creation procedure failed
[ 56] Loaded the preliminary configuration.
[ 92] Successfully connected to ip 172.17.44.49, port 88 using
TCP
[ 107] Successfully connected to ip 172.17.44.49, port 389 using
TCP
[ 110] Unable to start TLS: Connect error
[ 110] Additional info:
[ 110] Unable to connect to LDAP (Active Directory) service on
sambaad.ADOSAKANA.LOCAL
**[ 110] FAILURE: Unable to make a connection (LDAP (Active
** Directory):ADOSAKANA.LOCAL), result: 7652
Error: command failed: Failed to create the Active Directory machine account
"SVM91". Reason: LDAP Error: Cannot establish a connection to the
server.
ontap91::>
ontap91::> vserver cifs create -cifs-server svm91 -domain ADOSAKANA.LOCAL
In order to create an Active Directory machine account for the CIFS server, you
must supply the name and password of a Windows account with sufficient
privileges to add computers to the "CN=Computers" container within the
"ADOSAKANA.LOCAL" domain.
Enter the user name: administrator
Enter the password:
Error: Machine account creation procedure failed
[ 61] Loaded the preliminary configuration.
[ 99] Successfully connected to ip 172.17.44.49, port 88 using
TCP
[ 168] Successfully connected to ip 172.17.44.49, port 389 using
TCP
[ 168] Entry for host-address: 172.17.44.49 not found in the
current source: FILES. Ignoring and trying next available
source
[ 172] Source: DNS unavailable. Entry for
host-address:172.17.44.49 not found in any of the
available sources
**[ 181] FAILURE: Unable to SASL bind to LDAP server using GSSAPI:
** Local error
[ 181] Additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Cannot determine realm for numeric host
address)
[ 181] Unable to connect to LDAP (Active Directory) service on
sambaad.ADOSAKANA.LOCAL (Error: Local error)
[ 181] Unable to make a connection (LDAP (Active
Directory):ADOSAKANA.LOCAL), result: 7643
Error: command failed: Failed to create the Active Directory machine account
"SVM91". Reason: LDAP Error: Local error occurred.
ontap91::>
ontap91::> vserver cifs create -cifs-server svm91 -domain ADOSAKANA.LOCAL
In order to create an Active Directory machine account for the CIFS server, you
must supply the name and password of a Windows account with sufficient
privileges to add computers to the "CN=Computers" container within the
"ADOSAKANA.LOCAL" domain.
Enter the user name: administrator
Enter the password:
Warning: An account by this name already exists in Active Directory at
CN=SVM91,CN=Computers,DC=adosakana,DC=local.
If there is an existing DNS entry for the name SVM91, it must be
removed. Data ONTAP cannot remove such an entry.
Use an external tool to remove it after this command completes.
Ok to reuse this account? {y|n}: y
Error: Machine account creation procedure failed
[ 13] Loaded the preliminary configuration.
[ 92] Created a machine account in the domain
[ 93] SID to name translations of Domain Users and Admins
completed successfully
[ 100] Modified account 'cn=SVM91,CN=Computers,dc=VM2,dc=ADOSAKANA
dc=LOCAL'
[ 101] Successfully connected to ip 172.17.44.49, port 88 using
TCP
[ 113] Successfully connected to ip 172.17.44.49, port 464 using
TCP
[ 242] Kerberos password set for 'SVM91$@ADOSAKANA.LOCAL' succeeded
[ 242] Set initial account password
[ 277] Successfully connected to ip 172.17.44.49, port 445 using
TCP
[ 312] Successfully connected to ip 172.17.44.49, port 88 using
TCP
[ 346] Successfully authenticated with DC
sambaad.ADOSAKANA.LOCAL
[ 366] Unable to connect to NetLogon service on
sambaad.ADOSAKANA.LOCAL (Error:
RESULT_ERROR_GENERAL_FAILURE)
**[ 366] FAILURE: Unable to make a connection
** (NetLogon:ADOSAKANA.LOCAL), result: 3
[ 366] Unable to make a NetLogon connection to
sambaad.ADOSAKANA.LOCAL using the new machine account
Error: command failed: Failed to create the Active Directory machine account
"SVM91". Reason: general failure.
ontap91::>
netapp9101::> vserver cifs create -vserver svm3 -cifs-server svm3 -domain adosakana.local
In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with
sufficient privileges to add computers to the "CN=Computers" container within the "ADOSAKANA.LOCAL" domain.
Enter the user name: administrator
Enter the password:
Error: Machine account creation procedure failed
[ 47] Loaded the preliminary configuration.
[ 130] Created a machine account in the domain
[ 130] SID to name translations of Domain Users and Admins
completed successfully
[ 131] Successfully connected to ip 172.17.44.49, port 88 using
TCP
[ 142] Successfully connected to ip 172.17.44.49, port 464 using
TCP
[ 233] Kerberos password set for 'SVM3$@ADOSAKANA.LOCAL' succeeded
[ 233] Set initial account password
[ 244] Successfully connected to ip 172.17.44.49, port 445 using
TCP
[ 276] Successfully connected to ip 172.17.44.49, port 88 using
TCP
[ 311] Successfully authenticated with DC
adserver.adosakana.local
[ 324] Unable to connect to NetLogon service on
adserver.adosakana.local (Error:
RESULT_ERROR_GENERAL_FAILURE)
**[ 324] FAILURE: Unable to make a connection
** (NetLogon:ADOSAKANA.LOCAL), result: 3
[ 324] Unable to make a NetLogon connection to
adserver.adosakana.local using the new machine account
[ 346] Deleted existing account
'CN=SVM3,CN=Computers,DC=adosakana,DC=local'
Error: command failed: Failed to create the Active Directory machine account "SVM3". Reason: general failure.
netapp9101::>
その2: AES session key enabled for NetLogon channel 設定
上記を設定しても、下記の様なエラーとなった。
netapp9101::> vserver cifs create -vserver svm3 -cifs-server svm3 -domain vm2.adosakana.local
In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of
a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the
"ADOSAKANA.LOCAL" domain.
Enter the user name: administrator
Enter the password:
Error: Machine account creation procedure failed
[ 43] Loaded the preliminary configuration.
[ 133] Created a machine account in the domain
[ 133] SID to name translations of Domain Users and Admins
completed successfully
[ 134] Successfully connected to ip 172.17.44.49, port 88 using
TCP
[ 144] Successfully connected to ip 172.17.44.49, port 464 using
TCP
[ 226] Kerberos password set for 'SVM3$@ADOSAKANA.LOCAL' succeeded
[ 226] Set initial account password
[ 253] Successfully connected to ip 172.17.44.49, port 445 using
TCP
[ 284] Successfully connected to ip 172.17.44.49, port 88 using
TCP
[ 316] Successfully authenticated with DC
adserver.adosakana.local
[ 323] Encountered NT error (NT_STATUS_PENDING) for SMB command
Read
[ 327] Unable to connect to NetLogon service on
adserver.adosakana.local (Error:
RESULT_ERROR_GENERAL_FAILURE)
**[ 327] FAILURE: Unable to make a connection
** (NetLogon:ADOSAKANA.LOCAL), result: 3
[ 327] Unable to make a NetLogon connection to
adserver.adosakana.local using the new machine account
[ 344] Deleted existing account
'CN=SVM3,CN=Computers,DC=ADOSAKANA,DC=local'
Error: command failed: Failed to create the Active Directory machine account "SVM3". Reason: general failure.
netapp9101::>
netapp9101::> vserver cifs create -vserver svm3 -cifs-server svm3 -domain adosakana.local
In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of
a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the
"ADOSAKANA.LOCAL" domain.
Enter the user name: administrator
Enter the password:
Notice: SMB1 protocol version is obsolete and considered insecure. Therefore it is deprecated and disabled on this
CIFS server. Support for SMB1 might be removed in a future release. If required, use the (privilege: advanced)
"vserver cifs options modify -vserver svm3 -smb1-enabled true" to enable it.
netapp9101::>
ONTAP 9.7P22 (End of Limited Support 2025/07/31) ONTAP 9.8P18 (End of Limited Support 2025/12/31) ONTAP 9.9.1P15 (End of Limited Support 2026/06/30) ONTAP 9.10.1P12(End of Limited Support 2027/01/31) ONTAP 9.11.1P8 (End of Limited Support 2027/07/31) ONTAP 9.12.1P2 (End of Limited Support 2028/02/28)
netapp9101::> vserver cifs security modify -vserver svm0 -is-aes-encryption-enabled true
Info: In order to enable CIFS AES encryption, the password for the CIFS server
machine account must be reset. Enter the username and password for the
CIFS domain "ADOSAKANA.LOCAL".
Enter your user ID: administrator
Enter your password:
netapp9101::> vserver cifs security show -fields is-aes-encryption-enabled
vserver is-aes-encryption-enabled
------- -------------------------
Cluster -
Snapmirror-WAN
-
netapp9101
-
netapp9101-01
-
svm0 true
svm2 false
svm3 false
7 entries were displayed.
netapp9101::>