#RestAPI error in na_ontap_cifs_server

Good morning everyone,
I opened a request in the Ansible channel because I have problems with the na_ontap_cifs_server module:
https://discord.com/channels/855068651522490400/1143553409434255430

I am trying to create a CIFS server with the following options:

kdc_encryption: True
session_security: sign

However, I get an error message from AD that encryption is not supported.

If I set the above two options via CLI and run the Ansible playbook again with the same options everything works:

vserver cifs security modify -vserver <SVM> -session-security-for-ad-ldap sign
vserver cifs security modify -vserver <SVM> -is-aes-encryption-enabled true

I sent corresponding debug logs to ng-ansibleteam@netapp.com and they confirmed that this must be a bug in RestAPI and I should report here in the channel.

Best regards

the issue here specifically

During the POST

sending: {'method': 'POST', 'url': 'https://msp-sdpbackup01.fra1.infra.sva-cloud.com/api/protocols/cifs/services', 'verify': False, 'params': {'return_timeout': 30}, 'timeout': 60, 'json': {'ad_domain': {'user': 'svc-domainjoin', 'password': 'XXX', 'organizational_unit': 'OU=Other,OU=Computers,OU=SVACloud,DC=ad,DC=wzat,DC=de', 'fqdn': 'ad.wzat.de'}, 'security': {'kdc_encryption': True, 'session_security': 'sign', 'use_ldaps': False}, 'svm.name': 'snapmirror_wzat_svm01', 'name': 'sm-wzat-svm01', 'enabled': True}, 'headers': {'X-Dot-Client-App': 'netapp.ontap.na_ontap_cifs_server/22.7.0'}, 'auth_args': 'redacted'}

Returns the following error

00: b'{\n "error": {\n "message": "Failed to create the Active Directory machine account \"SM-WZAT-SVM01\". Reason: Kerberos Error: KDC has no support for encryption type Details: Error: Machine account creation procedure failed\n [ 490] Loaded the preliminary configuration.\n [ 530] Successfully connected to ip 10.150.0.2, port 88 using TCP\n**[ 701] FAILURE: Could not authenticate as\n** 'svc-domainjoin@AD.WZAT.DE': KDC has no support for\n** encryption type (KRB5KDC_ERR_ETYPE_NOSUPP)\n. ",\n "code": "655914"\n },\n "job": {\n "uuid": "ac4b96f2-4185-11ee-b2d7-d039ea1836b0",\n "_links": {\n "self": {\n "href": "/api/cluster/jobs/ac4b96f2-4185-11ee-b2d7-d039ea1836b0"\n }\n }\n }\n}'

what ontap version is this?

could it be this? the SVM settings should match the AD settings.
https://kb.netapp.com/onprem/ontap/da/NAS/During_cifs_setup_or_vserver_cifs_create_a_failure_occurs_due_to_KRB5KDC_ERR_ETYPE_NOSUPP

That's the problem. But it should not occur, because I specify the following in Ansible:

kdc_encryption: True
session_security: sign

which would correspond to the following on the CLI:

vserver cifs security modify -vserver <SVM> -session-security-for-ad-ldap sign
vserver cifs security modify -vserver <SVM> -is-aes-encryption-enabled true

The settings from the Ansible module are not set on the ONTAP system, so the domain join fails.