Subscribe
Accepted Solution

Cifs Issue 2012 AD DOT 8.2P5

Hi...I have a case logged but I thought I would ask here...

Running C-Mode 8.2P5

We are having an issue with CIFS and 2012 Domain Local groups. Our Domain is Server 2012, with a Trusted 2003 Domain.

I create a domain local group in the 2012 domain and add an account from the trusted 2003 domain and an account from the 2012 domain

I add this group onto a folder that and give it full control.

When I access he folder with the 2003 account, it works fine. When I try to access using the 2012 account I get a 'handle is invalid error' / access is denied

If I remove the 2003 account from the group and make the group type universal, the 2012 account can then browse the folder.

I Have replciated the error in out production and test environments

Any ideas ?

TIA

Re: Cifs Issue 2012 AD DOT 8.2P5

Kerberos tokens come to my mind. there are still bugs in cDOT with them.

try to access the share over an alias (either in DNS or hosts file on 2012). if it works, then it's a Kerberos issue (because it will fall back to NTLM authentication).

one Kerberos bug has been fixed in 8.2.1(P2?) and another one about 16k Kerberos token size will be fixed in 8.2.2 (you have domain trusts so you may have big token sizes).

Re: Cifs Issue 2012 AD DOT 8.2P5

Yes, We have hita bug that is fixed in 8.2.1, It related to resource SID compression. there is a microsoft KB about it as well

http:/support.microsoft.com/kb/2774190      ....or

http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=649280

We have used the fix in the mircosoft article to resolve the problem for now....we eill be upgrading to 8.2.2 once it is GA