https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-shares-inaccessible-when-disabling-ntlmv2/m-p/460788#M10179 <P>I'm trying to setup my svm server to talk Kerberos only (v9.15). My environment is setup to use aes-128 and aes-256 encryption and svm server has been joined to the domain. However, when I run command ...<SPAN>-lm-compatibility-level krb, ALL of my CIFS shares become inaccessible, I get re-prompted to enter my AD credentials and despite entering my credentials correctly, I never get in. I end up reverting back to ...</SPAN><SPAN>-lm-compatibility-level ntlmv2-krb. Has anyone been able to set their CIFS shares to run krb traffic only?&nbsp;<BR /><BR />Added context: CIFS shares need to be visible to Windows Server 2022 server.</SPAN></P> Fri, 16 May 2025 22:32:22 GMT E1590-nas 2025-05-16T22:32:22Z https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-shares-inaccessible-when-disabling-ntlmv2/m-p/460788#M10179 <P>I'm trying to setup my svm server to talk Kerberos only (v9.15). My environment is setup to use aes-128 and aes-256 encryption and svm server has been joined to the domain. However, when I run command ...<SPAN>-lm-compatibility-level krb, ALL of my CIFS shares become inaccessible, I get re-prompted to enter my AD credentials and despite entering my credentials correctly, I never get in. I end up reverting back to ...</SPAN><SPAN>-lm-compatibility-level ntlmv2-krb. Has anyone been able to set their CIFS shares to run krb traffic only?&nbsp;<BR /><BR />Added context: CIFS shares need to be visible to Windows Server 2022 server.</SPAN></P> Fri, 16 May 2025 22:32:22 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-shares-inaccessible-when-disabling-ntlmv2/m-p/460788#M10179 E1590-nas 2025-05-16T22:32:22Z https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-shares-inaccessible-when-disabling-ntlmv2/m-p/465263#M10218 <P class="">Hi,</P><P class="">&nbsp;</P><P class="">Why Access usually breaks with <SPAN class="">krb</SPAN>&nbsp;only:</P><P class=""><STRONG>• Kerberos relies on DNS and SPNs</STRONG>: If CIFS clients connect using an IP address or a name without a proper DNS PTR record, Kerberos cannot validate the SPN, and authentication fails. NTLM works in these cases, which is why reverting to <SPAN class="">ntlmv2-krb</SPAN> restores access.</P><P class="">&nbsp;</P><P class=""><STRONG>• Dynamic DNS updates</STRONG>: ONTAP does not create DNS entries by default unless dynamic DNS is enabled. Without these, Kerberos tickets cannot be issued correctly.</P><P class=""><STRONG>• AES encryption negotiation</STRONG>: ONTAP supports AES-128 and AES-256 for Kerberos, but the client determines the algorithm. Ensure AES is enabled on the CIFS server (<SPAN class="">is-aes-encryption-enabled true</SPAN>).</P><P class="">&nbsp;</P><P class=""><STRONG>• Windows Group Policy</STRONG>: Kerberos-only environments often require GPO adjustments to enforce Kerberos and SMB signing/encryption.</P><P class="">&nbsp;</P><P class="">I would first verify the following :</P><UL><LI>Aes is enabled:</LI></UL><P class="">vserver cifs security modify -vserver &lt;SVM&gt; -lm-compatibility-level krb \</P><P class="">-kerberos-clock-skew 5 -kerberos-ticket-age 10 \</P><P class="">-kerberos-renew-age 7 -kerberos-kdc-timeout 3 \</P><P class="">-is-aes-encryption-enabled true</P><P class="">&nbsp;</P><P class=""><STRONG>• Verify DNS</STRONG>: Ensure forward and reverse DNS records exist for the CIFS server name.</P><P class=""><STRONG>• SPNs</STRONG>: Confirm SPNs for CIFS are registered in AD (e.g., <SPAN class="">HOST/cifs-server.domain</SPAN>).</P><P class="">&nbsp;</P><P class="">Hope that Help</P><P class="">&nbsp;</P><P class="">David</P> Wed, 21 Jan 2026 10:29:19 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-shares-inaccessible-when-disabling-ntlmv2/m-p/465263#M10218 dbenadib 2026-01-21T10:29:19Z