Network and Storage Protocols

Unable to access CIFS share by name

Rowl
30,943 Views

Ran into a strange problem here, hoping someone can point me in the right direction.  We have two Windows 2008 R2 servers that are unable to access a UNC path to an SVM when using the DNS name of the lif. The connection works fine if connecting to the ip address. From these windows servers I can connect to shares by name on other NAS products, and random Windows clients.

 

From these two servers

\\svm\share$ fails

\\svm.our.dom.com\share$ fails

 

\\10.1.1.1\share$ works (assume 10.1.1.1 is address of lif)

\\othernas\share$ works

\\windowsServer\share$ works

 

From other Windows clients \\svm\share$ works

 

I checked that the Windows firewall is disabled, credentials cache is empty, time is in sync with AD. Flushed the DNS cache too. 

 

So it appears I only have a problem connecting to Netapp CIFS share by name from these two servers. Connecting by ip works, so doesn't look like firewall is blocking me. 

 

I know there is a difference in authentication when connecting my address rather than by name, but the details are not clear to me. Something about NTLM vs Kerberos.

 

Thanks

-Rowl

1 ACCEPTED SOLUTION

Rowl
30,739 Views

This turned out to be an issue with the server having only SMB 1.0 enabled and the filer requiring Kerberos authentication and SMB signing. Unfortunately I got this information second hand and am not exactly sure how this was resolved. Apparently some application running on the server only worked with SMB 1.0, but that sounds like a misunderstanding to me. 

View solution in original post

5 REPLIES 5

mbeattie
30,898 Views

Hi Rowl,

 

Have you checked the DNS server IP configured on your windows server, then verified that a DNS A and PTR records for the vserver exist on that DNS server in the correct DNS zone. IE from your server can you do a forward and reverse lookup of the vserver via hostname, fqnd and IP address using nslookup on your windows server? If so and DNS records exist then it could be a group policy issue.

 

Please note that the default security policy in Windows Server 2008 R2 could be preventing access to the CIFS shares depending on the security configuration on the storage.

Check the local policy on your server:

http://technet.microsoft.com/en-us/library/jj852270(v=ws.10).aspx

 

Check the following policy values


•    Domain Member: Digitally sign client communication (when possible)
•    Microsoft network client: Digitally sign communications (always)

 

What's the error message and error code you recieve in windows explorer when attempting to access the share?
Is SMB signing enabled on your storage but not on your windows server?

Do other operating systems have the same issue

 

Also are you attempting to access your vserver via a DNS CName alias? If so you check you have an SPN configured for the CName on your vservers AD computer account object.

Hope that provides a few troubleshooting options.

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Rowl
30,740 Views

This turned out to be an issue with the server having only SMB 1.0 enabled and the filer requiring Kerberos authentication and SMB signing. Unfortunately I got this information second hand and am not exactly sure how this was resolved. Apparently some application running on the server only worked with SMB 1.0, but that sounds like a misunderstanding to me. 

rajivbmenon
21,053 Views

So what is the fix for this? We are having this issue as well in our environment.

 

We have 2008 R2 DC's in one site and 2012 R2 DC's in another. The site with 2012 R2 DC's is not having issues, but the other is.

 

Any idea's?

mbeattie
21,045 Views

Hi,

 

I would advise checking there is an AD group policy that sets the SMB signing client configuration in combination with setting the a default authentication security level for you CIFS vserver. You would need to determine the correct configuration for your environment that enables all clients to connect based on the operating systems you are using. Some links to the docs:

 

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-EE6C5170-7CF6-492C-83A6-9904AE247F21.html&lang=en

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-861C90E9-A8B2-405C-9020-0C38679BD72B.html&lang=en

 

Also if you are accessing the CIFS vserver via a DNS CName alias ensure you have set an SPN on the AD computer object to ensure clients are able to authenticate via Kerberos rather than reverting to NTLM.

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

nickbirech
13,222 Views

Setting NTP resolved it for me

 

Public