NetWorker:在 NetWorker 19.11 中新增/更新外部驗證後,AD over SSL 使用者登入無法運作

Summary: NetWorker 已使用「AD over SSL」選項與外部授權整合。外部身份驗證是在 19.11 中新增的,或者是在較早的集成中創建的,但在 19.11.x 中更新。即使登入資料正確,AD 使用者登入失敗,並顯示「invalid username or password」。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

  • NetWorker 中的 AD over SSL 驗證失敗,傳回「invalid username or password」

  • 使用 authc_mgmt 命令檢查 AD 使用者的使用者/組成員身份會報告找不到使用者/組。
authc_mgmt -u Administrator -p 'NMC_ADMIN_PASSWORD' -e query-ldap-users-for-group -D query-tenant=TENANT_NAME -D query-domain=DOMAIN_NAME -D group-name=AD_GROUP_NAME
或: 
authc_mgmt -u Administrator -p 'NMC_ADMIN_PASSWORD' -e query-groups-for-user -D query-tenant=TENANT_NAME -D query-domain=DOMAIN_NAME -D user-name=AD_USER_NAME
報: 
404: Server message: A group/user with the name GROUP/USER_NAME does not exist in authority EXTERNAL_AUTHORITY_RESOURCE_NAME
範例: 
nve:~ # authc_mgmt -u Administrator -p '!Password1' -e query-ldap-users-for-group -D query-tenant=default -D query-domain=networker.lan -D group-name=NetWorker_Admins
ERROR [main] (DefaultLogger.java:222) - Error while performing Operation:
com.emc.brs.auth.common.exception.BRHttpErrorException: 404 . Server message: A group with the name NetWorker_Admins does not exist in authority LDAPS
        at com.emc.brs.auth.client.template.impl.DefaultBRResponseErrorHandler.handleError(DefaultBRResponseErrorHandler.java:65) ~[auth-cli-with-dependencies.jar:?]
        at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[auth-cli-with-dependencies.jar:?]
        at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:825) ~[auth-cli-with-dependencies.jar:?]
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:783) ~[auth-cli-with-dependencies.jar:?]
        at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:717) ~[auth-cli-with-dependencies.jar:?]
        at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:637) ~[auth-cli-with-dependencies.jar:?]
        at com.emc.brs.auth.client.service.impl.DefaultBRAdminUserService.getLdapUserListForGroup(DefaultBRAdminUserService.java:239) ~[auth-cli-with-dependencies.jar:?]
        at com.emc.brs.auth.cli.commands.LdapUserGroupCommand.queryUsersForGroup(LdapUserGroupCommand.java:134) ~[auth-cli-with-dependencies.jar:?]
        at com.emc.brs.auth.cli.commands.LdapUserGroupCommand.execute(LdapUserGroupCommand.java:77) ~[auth-cli-with-dependencies.jar:?]
        at com.emc.brs.auth.cli.core.AuthMgmtCmdExecutor.execute(AuthMgmtCmdExecutor.java:142) [auth-cli-with-dependencies.jar:?]
        at com.emc.brs.auth.cli.core.AuthMgmt.executeCommand(AuthMgmt.java:170) [auth-cli-with-dependencies.jar:?]
        at com.emc.brs.auth.cli.core.AuthMgmt.main(AuthMgmt.java:79) [auth-cli-with-dependencies.jar:?]
ERROR [main] (DefaultLogger.java:190) - Error executing command. Failure: 404 . Server message: A group with the name NetWorker_Admins does not exist in authority LDAPS
Error executing command. Failure: 404 . Server message: A group with the name NetWorker_Admins does not exist in authority LDAPS
注意: 驗證所報告的使用者/群組並不存在 Active Directory 中。有關直接從域伺服器進行驗證的命令,請參閱其他資訊欄位。

Cause

已向 NetWorker 工程部門提出此問題。

Active Directory 通常不會在進階組態標籤中使用的預設參數:

這些值通常用於 LDAP 伺服器 (例如 OpenLDAP)。Microsoft Active Directory 常用的預設值為:

Resolution

此問題將在下列 NetWorker 版本中解決:

  • 19.10.0.7(2025 年 1 月)
  • 19.11.0.4(2025 年 2 月)


因應措施:

從 NetWorker Web 使用者介面 (NWUI) 編輯外部授權資源,以使用進階組態標籤中的預設參數:

  • 群組物件類別: 群組
  • 群組成員屬性: 成員
  • 使用者物件類: 人員使用者
  • 使用者 ID 屬性: sAMAccountName

儲存變更,並確認 AD over SSL 驗證是否可搭配 NetWorker 介面,例如 NetWorker Management Console (NMC) 或 NWUI。
 

注意:如果這些變更後問題仍然存在,請洽詢網域管理員,以確認 Active Directory 中的值是否正確。「其他資訊」欄位包含可在 AD 伺服器上執行的 PowerShell 命令,以判斷這些欄位所需的值。

Additional Information

您可以使用下列 PowerShell 命令,在網域伺服器上確認 AD 群組成員資格。

顯示哪些 AD 使用者屬於組。

Get-ADGroupMember -Identity "AD_GROUP_NAME" | Select-Object Name, SamAccountName, ObjectClass, DistinguishedName

顯示使用者所屬的 AD 群組:

Get-ADUser -Identity "AD_USER_NAME" -Properties MemberOf | Select-Object -ExpandProperty MemberOf | ForEach-Object { Get-ADGroup $_ | Select-Object Name, ObjectClass, DistinguishedName }

Affected Products

NetWorker

Products

NetWorker Family
Article Properties
Article Number: 000247256
Article Type: Solution
Last Modified: 02 Apr 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.