PowerScale — 启用RFC2307时,来自外部信任的用户无法向群集进行身份验证。

Summary: Active Directory 身份验证提供程序将添加到群集并启用RFC2307。通过此提供程序获知的单向外部信任的用户无法向群集进行身份验证。尝试列出或查看此域中的用户失败。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Active Directory 身份验证提供程序将添加到群集并启用RFC2307。

通过此提供程序获知的单向外部信任的用户无法向群集进行身份验证。

尝试列出或查看此域中的用户也会失败。

要确认此问题存在,请检查以下各项。

1.Active Directory 身份验证提供程序已启用RFC2307:
  
prod-2# isi auth ads list -v
                     Name: DOMAIN.COM
          Machine Account: PROD$
           Authentication: Yes
                 Groupnet: groupnet0

                   Status: online
           Primary Domain: DOMAIN.COM
                   Forest: domain.com
                     Site: Default-First-Site-Name
           NetBIOS Domain: DOMAIN
                 Hostname: prod.domain.com
          Controller Time: 2023-06-16T10:14:06
         Node DC Affinity: -
 Node DC Affinity Timeout: -

          NSS Enumeration: No
              SFU Support: rfc2307
       Store SFU Mappings: No

        Ignore All Trusts: No
  Ignored Trusted Domains: -
  Include Trusted Domains: -
      Extra Expected SPNs: -
    Domain Offline Alerts: No
       LDAP Sign And Seal: No

             Lookup Users: Yes
   Lookup Normalize Users: Yes
            Allocate UIDs: Yes
  Lookup Normalize Groups: Yes
            Allocate GIDs: Yes
           Lookup Domains: -
            Lookup Groups: Yes

    Assume Default Domain: No
    Check Online Interval: 5m
 Machine Password Changes: Yes
Machine Password Lifespan: 4W2D
    Create Home Directory: No
  Home Directory Template: /ifs/home/%D/%U
        Unfindable Groups: -
         Unfindable Users: -
          Findable Groups: -
           Findable Users: -
        Restrict Findable: No
         RPC Call Timeout: 1m
       Server Retry Limit: 5
              Login Shell: /bin/zsh
             Creator Zone: System


2.从群集角度来看,受影响用户所来自的信任必须是外部的。这既适用于单向信任,也适用于双向信任
 

单向外部:

        [Domain: DEV]

                DNS Domain:       dev.com
                Netbios name:     dev
                Forest name:
                Trustee DNS name: DOMAIN.COM
                Client site name:
                Domain SID:       S-1-5-21-586728154-3739561872-3933139605
                Domain GUID:      00000000-0000-0000-0000-000000000000
                Trust Flags:      [0x0002]
                                  [0x0002 - Outbound]
                Trust type:       Up Level
                Trust Attributes: [0x0004]
                                  [0x0004 - Filter SIDs]
                Trust Direction:  Oneway Trust
                Trust Mode:       External Trust (ET)
                Domain flags:     [0x0000]

双向外部: 
        [Domain: DEV]

                DNS Domain:       dev.com
                Netbios name:     dev
                Forest name:
                Trustee DNS name: DOMAIN.COM
                Client site name:
                Domain SID:       S-1-5-21-586728154-3739561872-3933139605
                Domain GUID:      00000000-0000-0000-0000-000000000000
                Trust Flags:      [0x0022]
                                  [0x0002 - Outbound]
                                  [0x0020 - Inbound]
                Trust type:       Up Level
                Trust Attributes: [0x0004]
                                  [0x0004 - Filter SIDs]
                Trust Direction:  Twoway Trust
                Trust Mode:       External Trust (ET)
                Domain flags:     [0x0000]

3.在执行用户查找时,受影响的域在 /var/log/lsassd.log 中的调试详细性下“标记为 skip”:
  
2023-06-16T10:15:25.878038+00:00  prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:File_FindUserObjectByName():lsass/server/auth-providers/file-provider/fpuser.c:224: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878347+00:00  prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:LsaIsi_FindDomainByName():lsass/server/api/isiutil.c:4816: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878452+00:00  prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:AD_FindObjects():lsass/server/auth-providers/ad-open-provider/provider-main.c:6453: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878521+00:00  prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:LsaSrvIsLocalDomain():lsass/server/api/provider.c:243: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878581+00:00  prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:LsaAdBatchCreateDomainEntry():lsass/server/auth-providers/ad-open-provider/batch.c:398: Trusted domain dev.com' is marked skip

Cause

启用RFC2307时,需要执行以下操作。

在群集通过其学习信任的提供程序上,它需要有权访问受信任域上的全局目录。因此,它可以查找 UID 或 GID 等属性。

在外部信任类型关系中,我们缺乏执行此操作的权限,因此身份验证失败。

Resolution

将 gconfig 添加到 OneFS 8.1.2,以允许外部受信任域中启用RFC2307的用户向群集进行身份验证。

对于双向外部信任,群集必须运行 OneFS 版本 8.1.2 或更高版本。此外,还必须启用以下 gconfig 

registry.Services.lsass.Parameters.AdditionalFlags

可按如下所示进行设置:

isi_gconfig registry.Services.lsass.Parameters.AdditionalFlags=1

对于单向外部信任,群集必须运行 OneFS 9.5.0.4 或更高版本,并且必须启用上述 gconfig

 

Affected Products

PowerScale OneFS
Article Properties
Article Number: 000215063
Article Type: Solution
Last Modified: 26 Nov 2024
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.