2017-04-04 09:19 AM
Ran into a strange problem here, hoping someone can point me in the right direction. We have two Windows 2008 R2 servers that are unable to access a UNC path to an SVM when using the DNS name of the lif. The connection works fine if connecting to the ip address. From these windows servers I can connect to shares by name on other NAS products, and random Windows clients.
From these two servers
\\10.1.1.1\share$ works (assume 10.1.1.1 is address of lif)
From other Windows clients \\svm\share$ works
I checked that the Windows firewall is disabled, credentials cache is empty, time is in sync with AD. Flushed the DNS cache too.
So it appears I only have a problem connecting to Netapp CIFS share by name from these two servers. Connecting by ip works, so doesn't look like firewall is blocking me.
I know there is a difference in authentication when connecting my address rather than by name, but the details are not clear to me. Something about NTLM vs Kerberos.
2017-04-04 07:39 PM
Have you checked the DNS server IP configured on your windows server, then verified that a DNS A and PTR records for the vserver exist on that DNS server in the correct DNS zone. IE from your server can you do a forward and reverse lookup of the vserver via hostname, fqnd and IP address using nslookup on your windows server? If so and DNS records exist then it could be a group policy issue.
Please note that the default security policy in Windows Server 2008 R2 could be preventing access to the CIFS shares depending on the security configuration on the storage.
Check the local policy on your server:
Check the following policy values
• Domain Member: Digitally sign client communication (when possible)
• Microsoft network client: Digitally sign communications (always)
What's the error message and error code you recieve in windows explorer when attempting to access the share?
Is SMB signing enabled on your storage but not on your windows server?
Do other operating systems have the same issue
Also are you attempting to access your vserver via a DNS CName alias? If so you check you have an SPN configured for the CName on your vservers AD computer account object.
Hope that provides a few troubleshooting options.
a month ago
This turned out to be an issue with the server having only SMB 1.0 enabled and the filer requiring Kerberos authentication and SMB signing. Unfortunately I got this information second hand and am not exactly sure how this was resolved. Apparently some application running on the server only worked with SMB 1.0, but that sounds like a misunderstanding to me.