topic Re: SVM unable to join CIFS to Windows Server 2003 AD in ONTAP Discussions

SVM unable to join CIFS to Windows Server 2003 AD

jeffrey24 — Tue, 17 Dec 2024 09:22:49 GMT

Dear all,

I have been facing Netapp Ontap Storage VM issues of joining CIFS to Windows server 2003 AD.

I am on Netapp ontap 9.14.

I understand that Windows Server 2003 cannot support AES and can only support SMB1 authentication. Therefore disabled AES 128 and 256 under:

-vserver cifs security modify : -advertised-enc-types {DES,RC4}
--aes-enabled-for-netlogon-channel{false}

--encryption-required-for-dc-connections {false}

-use-ldaps-for-ad-ldap {false}

-smb2-enabled-for-dc-connections{false}

-smb1-enabled-for-dc-connections{true}

I managed to add the Windows server 2003 DNS to my SVM. Despite trying all methods, I am still getting the error KRB5KDC_ERR_ETYPE_NOSUPP when i add my SVM CIFS to Windows server 2003 active directory. Will appreciate any help on this, thanks!

With regards,

Jeff

Re: SVM unable to join CIFS to Windows Server 2003 AD

CristianoRossi — Tue, 17 Dec 2024 15:35:28 GMT

Usually in this kind of problem secd.log can provide more information on what is going on

Not sure there is a way to have it working

Re: SVM unable to join CIFS to Windows Server 2003 AD

liu — Wed, 18 Dec 2024 06:37:36 GMT

AES is not enabled on the Vserver CIFS authentication error: KRB5KDC_ERR_ETYPE_NOSUPP - NetApp Knowledge Base

Check the Windows/UNIX KDC configuration, If the error is noticed during the filer cifs setup, then the machine account for the server name specified is inconsistent and it needs to be reset at Windows KDC

Kerberos EMS error descriptions - NetApp Knowledge Base

Re: SVM unable to join CIFS to Windows Server 2003 AD

jeffrey24 — Thu, 23 Jan 2025 03:01:08 GMT

Thanks for getting back liu. However, AES isn't supported in Windows Server 2003, which is why i disabled it.

As Netapp Ontap only supports DES , therefore I have configured “SupportedEncType” to 3 in Windows Registry to support DES-CBC-MD5 and DES-CBC-CRC.

I’ve checked Secd.log , Windows event logs and found that DES encryption is successfully reflected during Netapp SVM CIFS attempt to join Windows server 2003. I am also unable to join my Netapp Ontap Network LIFS to Windows server 2003 active directory.

In the secd.log , I found the message “master kdc tgs request result -1765328370 kdc has no support for encryption type”.

I’ve also configured the below settings for “CIFS Security” before attempting to join my SVM to Windows Server 2003 Directory.

-Disabled SMB Signing for incoming SMB Traffic

-Disabled Use start-TLS for AD LDAP

-Disabled AES Encryption

-LM compatibility level : ntlm-ntlmv2-krb

-Enabled SMB1 (Due to Windows server 2003 supporting only SMB1)

-Is-aes-encryption-enabled :False

-session-security-for-ad-ldap : None

-smb1-enabled-for-dc-connections : True

-smb2-enabled-for-dc-connections : False

-referral-enabled-for-ad-ldap : False

-use-ldaps-for-ad-ldap : False

-encryption-required-for-dc-connections: False

-aes-enabled-for-netlogon-channel : False

-try-channel-binding-for-ad-ldap : False

-advertised-enc-types : DES

Is there any settings that I have missed out on or misconfigured? I have tried all possible configurations in NetApp Ontap and Windows server 2003 side and it does not work.

I have tried configuring Windows Keytab and SVM realm too but it doesn't work.