Subscribe

CIFS problem joining/re-joining filer on AD

[ Edited ]

Hello there,

 

We have a 2240 unit has been "redesigned" to act a fileserver to our internal users.

 

We are facing problems to joing the filer on domain, already deleted the machine account, and while try run cifs setup, he recreated the machine and ended in error, tried to join again and this is the (sanitized) log for the operation:

 

NETAPP007> cifs setup 
This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.
*** The CIFS configuration information for this filer is inconsistent and
*** therefore will be ignored.
Your filer is currently visible to all systems using WINS. The WINS
name servers currently configured are: [ 192.168.0.6, 192.168.0.5 ].
(1) Keep the current WINS configuration
(2) Change the current WINS name server address(es)
(3) Disable WINS
Selection (1-3)? [1]: 
A filer can be configured for multiprotocol access, or as an NTFS-only
filer. Since NFS, DAFS, VLD, FCP, and iSCSI are not licensed on this
filer, we recommend that you configure this filer as an NTFS-only
filer
(1) NTFS-only filer
(2) Multiprotocol filer
Selection (1-2)? [1]: 
The default name for this CIFS server is 'NETAPP007'.
Would you like to change this name? [n]: 
Data ONTAP CIFS services support four styles of user authentication.
Choose the one from the list below that best suits your situation.
(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication
Selection (1-4)? [1]: 
What is the name of the Active Directory domain? [PRIVATE.MYDOMAIN.COM]: 
In Active Directory-based domains, it is essential that the filer's
time match the domain's internal time so that the Kerberos-based
authentication system works correctly. If the time difference between
the filer and the domain controllers is more than 5 minutes,
authentication will fail. Time services are currently not configured
on this filer.
Would you like to configure time services? [y]: 
CIFS Setup will configure basic time services. To continue, you must
specify one or more time servers. Specify values as a comma or space
separated list of server names or IPv4 addresses.
Enter the time server host(s) and/or address(es) [PRIVATE.MYDOMAIN.COM]: 
Would you like to specify additional time servers? [n]: 
1 entry was deleted.

In order to create an Active Directory machine account for the filer,
you must supply the name and password of a Windows account with
sufficient privileges to add computers to the PRIVATE.MYDOMAIN.COM
domain.
Enter the name of the Windows user [Administrator@PRIVATE.MYDOMAIN.COM]: netappldap@private.MYDOMAIN.COM
Password for netappldap@private.MYDOMAIN.COM: 
CIFS - Logged in as netappldap@private.MYDOMAIN.COM.
An account that matches the name 'NETAPP007' already exists in
Active Directory: 'cn=NETAPP007,cn=computers,dc=private,dc=mydomain,
dc=com'. This is normal if you are re-running CIFS Setup. You may
continue by using this account or changing the name of this CIFS
server.
Do you want to re-use this machine account? [y]: 
Fri Jul 17 12:13:08 WAT [NETAPP007:cifs.trace.GSS:error]: AUTH: Could not set filer password in domain: (0x36) Connection reset by peer. 
Fri Jul 17 12:13:08 WAT [NETAPP007:cifs.kerberos.keytab:error]: CIFS: Keytable information for Kerberos: Error during backup restoration, could not find backup keytable. 
Fri Jul 17 12:13:08 WAT [NETAPP007:cifs.trace.GSS:error]: AUTH: Could not restore old keytab after failed password change. 
NETAPP007>

 

The server has connectivity to the DC's, via IP, host and FQDN:

 

BKNETAPP007> ping 192.168.0.5
192.168.0.5 is alive
BKNETAPP007> ping 192.168.0.6
192.168.0.6 is alive
BKNETAPP007> ping dc001
dc001 is alive
BKNETAPP007> ping dc002
dc002.private.mydomain.com is alive
BKNETAPP007> ping dc001.private.mydomain.com
dc001.private.mydomain.com is alive

 

I already tried to search about a way to "debug" the connection but can't find nothing.

 

Anybody already faced this problem before, or can give me some direction to go and try to solve that ?

 

Kind regards,

 

Anderson

Re: CIFS problem joining/re-joining filer on AD

Hi,

 

I had a quick search and based on the error messages you recieved the closest i found was this:

 

https://kb.netapp.com/support/index?page=content&id=2018109&locale=en_US&access=s

https://kb.netapp.com/support/index?page=content&id=2013426&locale=en_US

 

So based on that i'd be checking DNS and or firewalls to ensure TCP 464 is not being blocked.

 

Also it appears you are attempting to join the controller to the domain in the default computuers container...

I'd recommend you create an organizational unit for your NetApp systems and delegate access to join them to the domain to a group or service account.

Here is a link to a Microsoft KB that contains the delegated permissions required to join the domain

 

http://support.microsoft.com/kb/932455

 

hope that helps?

 

/matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: CIFS problem joining/re-joining filer on AD

Hello there,

 

Sadly that not solve my problem.

 

The filer and the AD servers are on same network segment and has no firewall between them.

 

The DNS as working as expected and I see only these messages/errors while trying to join the filer on domain:

 

[BKNETAPP007: cifs.trace.GSS:error]: AUTH: Could not set filer password in domain: (0x41) No route to host. #015
[BKNETAPP007: cifs.kerberos.keytab:error]: CIFS: Keytable information for Kerberos: Error during backup restoration, could not find backup keytable. #015
[BKNETAPP007: cifs.trace.GSS:error]: AUTH: Could not restore old keytab after failed password change. #015

Re: CIFS problem joining/re-joining filer on AD

[ Edited ]

Well, problem solved.

 

I changed the following parameters on both controllers:

 

options cifs.signing.enabled on
options cifs.ipv6.enable off
options cifs.search_domains MYDOMAIN
options cifs.smb2.enable on
options cifs.smb2.signing.required off
options cifs.smb2_1.branch_cache.enable on
options cifs.AD.retry_delay 5
options cifs.trace_dc_connection on
option cifs.trace_login on
options kerberos.file_keytab.realm MYDOMAIN
options kerberos.file_keytab.enable on

cifs prefdc add MYDOMAIN ip1 ip2 ip3

 

After that, tried again a cifs setup and got:

 

NETAPP007*> cifs setup

This process will enable CIFS access to the filer from a Windows(R) system.

Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

 

***     The CIFS configuration information for this filer is inconsistent and

***     therefore will be ignored.

 

        Your filer is currently visible to all systems using WINS. The WINS

        name servers currently configured are: [ ip2, ip1 ].

 

(1) Keep the current WINS configuration

(2) Change the current WINS name server address(es)

(3) Disable WINS

 

Selection (1-3)? [1]: 3

        A filer can be configured for multiprotocol access, or as an NTFS-only

        filer. Since NFS, DAFS, VLD, FCP, and iSCSI are not licensed on this

        filer, we recommend that you configure this filer as an NTFS-only

        filer

 

(1) NTFS-only filer

(2) Multiprotocol filer

 

Selection (1-2)? [1]:

        The default name for this CIFS server is 'NETAPP007'.

Would you like to change this name? [n]:

        Data ONTAP CIFS services support four styles of user authentication.

        Choose the one from the list below that best suits your situation.

 

(1) Active Directory domain authentication (Active Directory domains only)

(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)

(3) Windows Workgroup authentication using the filer's local user accounts

(4) /etc/passwd and/or NIS/LDAP authentication

 

Selection (1-4)? [1]:

What is the name of the Active Directory domain? [MYDOMAIN]:

        In Active Directory-based domains, it is essential that the filer's

        time match the domain's internal time so that the Kerberos-based

        authentication system works correctly. If the time difference between

        the filer and the domain controllers is more than 5 minutes,

        authentication will fail. Time services are currently not configured

        on this filer.

Would you like to configure time services? [y]:

        CIFS Setup will configure basic time services. To continue, you must

        specify one or more time servers. Specify values as a comma or space

        separated list of server names or IPv4 addresses.

Enter the time server host(s) and/or address(es) [MYDOMAIN]:

Would you like to specify additional time servers? [n]:

1 entry was deleted.

 

        In order to create an Active Directory machine account for the filer,

        you must supply the name and password of a Windows account with

        sufficient privileges to add computers to the MYDOMAIN

        domain.

Enter the name of the Windows user [Administrator@MYDOMAIN]: netappldap@MYDOMAIN

Password for netappldap@MYDOMAIN:

CIFS - Logged in as netappldap@MYDOMAIN.

        An account that matches the name 'NETAPP007' already exists in

        Active Directory: 'cn=netapp007,cn=computers,dc=MYDOMAIN'.

        This is normal if you are re-running CIFS Setup. You may

        continue by using this account or changing the name of this CIFS

        server.

Do you want to re-use this machine account? [y]:

CIFS - Starting SMB protocol...

Wed Jul 29 11:13:06 WAT [NETAPP007:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for MYDOMAIN. 

Wed Jul 29 11:13:06 WAT [NETAPP007:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 addresses from CIFS PREFDC command. 

Wed Jul 29 11:13:06 WAT [NETAPP007:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 addresses using DNS site query (sede-mydomain).. 

Wed Jul 29 11:13:06 WAT [NETAPP007:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 3 addresses using generic DNS query. 

Wed Jul 29 11:13:06 WAT [NETAPP007:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for MYDOMAIN complete. 3 unique addresses found. 

Wed Jul 29 11:13:06 WAT [NETAPP007:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Connection with \\DC3 established. 

Welcome to the MYDOMAIN (MYDOMAIN) Active Directory(R) domain.

 

CIFS local server is running.