CONTAP-81008: LDAP SASL bind delay or failure occurs
Issue
- Clients may not be able to modify NTFS permissions on files on the CIFS share
- ONTAP EMS log reports:
secd.dns.server.timed.out:error secd.ldap.sasl.bind.delayed:error secd.ldap.sasl.bind.delayed:error secd.ldap.noServers:EMERGENCY
- In SecD logs ONTAP attempts to look up the node name in DNS and receives a DNS NXDOMAIN error:
Failed to connect to XXX.XX.X.XXX for DNS via Source Address XXX.XXX.X.XX: Operation timed out Entry for host-name: Cluster01-node1 not found in any of the available sources
- During a simple and SASL bind, ONTAP reaches out to the DNS server to resolve the node name which might lead to an LDAP SASL bind delay or failure.
- EMS log:
[node_01: secd: secd.dns.server.timed.out:error]: DNS server 10.10.XX.XX did not respond to vserver = vserver_1 within timeout interval. [node_01: secd: secd.ldap.sasl.bind.delayed:error]: LDAP SASL bind taking longer time on server "10.110.10.41" for Vserver "vserver_1". [node_01: secd: secd.ldap.sasl.bind.delayed:error]: LDAP SASL bind taking longer time on server "10.110.10.42" for Vserver "vserver_1". [node_01: secd: secd.ldap.sasl.bind.delayed:error]: LDAP SASL bind taking longer time on server "10.110.10.43" for Vserver "vserver_1". [node_01: secd: secd.ldap.noServers:EMERGENCY]: None of the LDAP servers configured for Vserver (vserver_1) are currently accessible via the network for LDAP service type (Service: LDAP (Active Directory), Operation: ADgetClaimName). *
- SECD logs shows ONTAP doing queries to DNS domain.corp.testdomain.com and failing since there was no DNS record in DNS server:
ERR : LDAP SASL bind taking long time(6 secs) { in ldapSaslBindGssapi() at src/connection_manager/secd_connection.cpp:653 } debug: Vserver's operational state: running { in isVserverRunning() at src/configuration_manager/secd_configuration_manager.cpp:2807 } debug: Logged secd.ldap.sasl.bind.delayed to EMS { in logEmsEventForLdapError() at src/utils/secd_ems_utils.cpp:534 } ERR : RESULT_ERROR_LDAPSERVER_SASL_BIND_TIMEOUT:7660 in ldapSaslBindGssapi() at src/connection_manager/secd_connection.cpp:661 ERR : RESULT_ERROR_LDAPSERVER_SASL_BIND_TIMEOUT:7660 in ldapSaslBind() at src/connection_manager/secd_connection.cpp:1129 ERR : RESULT_ERROR_LDAPSERVER_SASL_BIND_TIMEOUT:7660 in ldapConnectAD() at src/connection_manager/secd_connection.cpp:1255 ERR : RESULT_ERROR_LDAPSERVER_SASL_BIND_TIMEOUT:7660 in connect() at src/connection_manager/secd_connection.cpp:2517 info : Unable to start LDAPS: (null) { in connect() at src/connection_manager/secd_connection.cpp:2647 } debug: LDAP TLS Alert generated is 'warning:close notify' info : Unable to connect to LDAP (Active Directory) service on domain.corp.testdomain.com { in addFailedConnectionJournal() at src/connection_manager/secd_connection_manager.cpp:553 } ERR : RESULT_ERROR_LDAPSERVER_SASL_BIND_TIMEOUT:7660 in makeConnectionAttempt() at src/connection_manager/secd_connection_manager.cpp:1033
- This problem occurs when a timeout occurs, so it is not a permanent event.