PowerScale - 啟用RFC2307時,來自外部信任的使用者無法驗證至叢集。

Summary: Active Directory 驗證提供者已新增至叢集,並啟用RFC2307。透過此供應商所學到的單向外部信任的使用者無法對叢集進行驗證。嘗試在此網域中列出或檢視使用者失敗。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Active Directory 驗證提供者已新增至叢集,並啟用RFC2307。

透過此供應商所學到的單向外部信任的使用者無法對叢集進行驗證。

嘗試在此網域中列出或檢視使用者也會失敗。

若要確認此問題存在,請檢查下列專案。

1.Active Directory 驗證供應商已啟用RFC2307:
  
prod-2# isi auth ads list -v
                     Name: DOMAIN.COM
          Machine Account: PROD$
           Authentication: Yes
                 Groupnet: groupnet0

                   Status: online
           Primary Domain: DOMAIN.COM
                   Forest: domain.com
                     Site: Default-First-Site-Name
           NetBIOS Domain: DOMAIN
                 Hostname: prod.domain.com
          Controller Time: 2023-06-16T10:14:06
         Node DC Affinity: -
 Node DC Affinity Timeout: -

          NSS Enumeration: No
              SFU Support: rfc2307
       Store SFU Mappings: No

        Ignore All Trusts: No
  Ignored Trusted Domains: -
  Include Trusted Domains: -
      Extra Expected SPNs: -
    Domain Offline Alerts: No
       LDAP Sign And Seal: No

             Lookup Users: Yes
   Lookup Normalize Users: Yes
            Allocate UIDs: Yes
  Lookup Normalize Groups: Yes
            Allocate GIDs: Yes
           Lookup Domains: -
            Lookup Groups: Yes

    Assume Default Domain: No
    Check Online Interval: 5m
 Machine Password Changes: Yes
Machine Password Lifespan: 4W2D
    Create Home Directory: No
  Home Directory Template: /ifs/home/%D/%U
        Unfindable Groups: -
         Unfindable Users: -
          Findable Groups: -
           Findable Users: -
        Restrict Findable: No
         RPC Call Timeout: 1m
       Server Retry Limit: 5
              Login Shell: /bin/zsh
             Creator Zone: System


2.從叢集的角度來看,受影響使用者所產生的信任必須視為外部信任。這適用于單向和雙向信任
 

單向外接式:

        [Domain: DEV]

                DNS Domain:       dev.com
                Netbios name:     dev
                Forest name:
                Trustee DNS name: DOMAIN.COM
                Client site name:
                Domain SID:       S-1-5-21-586728154-3739561872-3933139605
                Domain GUID:      00000000-0000-0000-0000-000000000000
                Trust Flags:      [0x0002]
                                  [0x0002 - Outbound]
                Trust type:       Up Level
                Trust Attributes: [0x0004]
                                  [0x0004 - Filter SIDs]
                Trust Direction:  Oneway Trust
                Trust Mode:       External Trust (ET)
                Domain flags:     [0x0000]

雙向外接式: 
        [Domain: DEV]

                DNS Domain:       dev.com
                Netbios name:     dev
                Forest name:
                Trustee DNS name: DOMAIN.COM
                Client site name:
                Domain SID:       S-1-5-21-586728154-3739561872-3933139605
                Domain GUID:      00000000-0000-0000-0000-000000000000
                Trust Flags:      [0x0022]
                                  [0x0002 - Outbound]
                                  [0x0020 - Inbound]
                Trust type:       Up Level
                Trust Attributes: [0x0004]
                                  [0x0004 - Filter SIDs]
                Trust Direction:  Twoway Trust
                Trust Mode:       External Trust (ET)
                Domain flags:     [0x0000]

3.執行使用者查詢時,受影響的網域在 /var/log/lsassd.log 的偵錯詳細資訊下會「標示為略過」:
  
2023-06-16T10:15:25.878038+00:00  prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:File_FindUserObjectByName():lsass/server/auth-providers/file-provider/fpuser.c:224: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878347+00:00  prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:LsaIsi_FindDomainByName():lsass/server/api/isiutil.c:4816: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878452+00:00  prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:AD_FindObjects():lsass/server/auth-providers/ad-open-provider/provider-main.c:6453: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878521+00:00  prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:LsaSrvIsLocalDomain():lsass/server/api/provider.c:243: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878581+00:00  prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:LsaAdBatchCreateDomainEntry():lsass/server/auth-providers/ad-open-provider/batch.c:398: Trusted domain dev.com' is marked skip

Cause

啟用RFC2307時,必須執行下列步驟。

在叢集學習信任的提供者上,它需要存取受信任網域上的全域目錄。如此一來便可尋找 UID 或 GID 等屬性。

在外部信任類型關係上,我們缺乏執行此操作的許可權,因此驗證會失敗。

Resolution

gconfig 新增至 OneFS 8.1.2,允許外部信任網域中的使用者在啟用RFC2307的情況下對叢集進行驗證。

若為雙向外部信任,叢集必須執行 OneFS 8.1.2 版或更新版本。此外,必須啟用下列 gconfig 

registry.Services.lsass.Parameters.AdditionalFlags

此選項可設定如下:

isi_gconfig registry.Services.lsass.Parameters.AdditionalFlags=1

若為單向外部信任,叢集必須執行 OneFS 9.5.0.4 或更新版本,且必須啟用上述 gconfig

 

Affected Products

PowerScale OneFS
Article Properties
Article Number: 000215063
Article Type: Solution
Last Modified: 26 Nov 2024
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.