FAS and V-Series Storage Systems Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FAS and V-Series Storage Systems Discussions

Start a New Post

SVM error no netlogon servers after SMB change on both AD domain controllers

kds86
‎2017-05-19 07:55 AM

In response to the recent WannaCry ransomware, I applied a change to both of our DCs (used this PS command: 

Set-SmbServerConfiguration -enableSMB1Protocol $false -confirm:$false ) in an effort to disable the vulnerable

SMB protocol. However, within minutes of making this change the NetApp sent me an urgent email stating:

 

Node: Storage-01

Severity: EMERGENCY

Message: secd.netlogon.noServers: None of the Netlogon servers configured for Vserver (SVM) are currently

accessible via the network.

 

I did not wait to see what impact this change had made on our environment, and so I immediately reversed this

changed on both DCs. 

 

I would like to know what "broke" because of this change, and then what needs to be changed on the NetApp to

make possible the disabling of the vulnerable SMB protocol on both of our DCs without it disrupting service in 

our environment.

0 Kudos
View By:
1 ACCEPTED SOLUTION

skneo
‎2017-05-19 10:10 AM
In response to kds86

So, following the directions in the article, once I enable SMB2 on the NetApp, it will use SMB2 to communicate with the two DCs, right?

yes

 

Does enabling SMB2 on the NetApp also result in SMB1 being disabled as a protocol to use with DCs, or does it have to be explicitly disabled?

no you enable smb2 support only

 

if you show on fields after enable smb2 it is smb1-enabled-for-dc-connections = system-default and -smb2-enabled-for-dc-connections = true

 

you could but i have not try this

 

SMB2 Only

vserver cifs security modify -vserver netapp -smb1-enabled-for-dc-connections false

vserver cifs security modify -vserver netapp -smb2-enabled-for-dc-connections system-default

----

SMB1 / 2 abd 2 as default

vserver cifs security modify -vserver netapp -smb1-enabled-for-dc-connections true

vserver cifs security modify -vserver netapp -smb2-enabled-for-dc-connections system-default

 

 

Last question, given the concern with this latest ransomware and SMB1, should SMB1 as it pertains to the client connections, also be disabled on the NetApp, and if so, how?

i think netapp controllers not affected. if you sure that no old client or application need smb1 you can dissable smb1 but i think is not necessary.

View solution in original post

9 REPLIES 9

mhpremier
‎2018-08-17 02:55 PM

I know this is a little bit of an old thread, but we were seeing this problem and it turned out to be clock drift between the cluster and the domain controller. Still haven't figured out what's causing the time to randomly drift though. 

yanisjoplin
‎2019-05-08 09:35 AM
In response to mhpremier 
Hello!

I have presented this same problem and I have also had problems with the cluster clock and the domain controller, only the cluster time is changed. Have you been able to solve this problem?
0 Kudos

kds86
‎2017-05-19 08:40 AM
In response to skneo

Thanks for the quick and very helpful reply. I read the article and have only displayed the current settings so far. I noticed SMB1,2, 3 and 3.1 are enabled on the NetApp. Our two DCs show SMB 3.1 as the protocol they are using (in addition to SMB1 being enabled on them too), so I am wondering if the error that was generated when I disabled SMB1 on the two DCs essentially would have been informative only and not indicative of a complete break in connection with the DCs as it first appeared? Would the NetApp not have reverted to one of its other enabled SMB protocol versions to sustain its connection to the DCs? Would it not have "discovered" it could connect via SMB 3.1 and resumed normal operation with the DCs? If so, could I simply disable SMB1 on those DCs as before and simply ignore the alert from the NetApp?

0 Kudos

skneo
‎2017-05-19 08:45 AM
In response to kds86

SMB1,2, 3 and 3.1 are enabled on the NetApp Controller for Clients Browse SMB Cifs this has nothing to do with the dc connection.

Dont mix client connections to storage for cifs services and netappcontroller as a client for dc connections.

0 Kudos

kds86
‎2017-05-19 08:59 AM
In response to skneo

Ah, thanks for pointing out the difference.

 

So, following the directions in the article, once I enable SMB2 on the NetApp, it will use SMB2 to communicate with the two DCs, right? Does enabling SMB2 on the NetApp also result in SMB1 being disabled as a protocol to use with DCs, or does it have to be explicitly disabled?

 

Last question, given the concern with this latest ransomware and SMB1, should SMB1 as it pertains to the client connections, also be disabled on the NetApp, and if so, how?

0 Kudos

skneo
‎2017-05-19 10:10 AM
In response to kds86

So, following the directions in the article, once I enable SMB2 on the NetApp, it will use SMB2 to communicate with the two DCs, right?

yes

 

Does enabling SMB2 on the NetApp also result in SMB1 being disabled as a protocol to use with DCs, or does it have to be explicitly disabled?

no you enable smb2 support only

 

if you show on fields after enable smb2 it is smb1-enabled-for-dc-connections = system-default and -smb2-enabled-for-dc-connections = true

 

you could but i have not try this

 

SMB2 Only

vserver cifs security modify -vserver netapp -smb1-enabled-for-dc-connections false

vserver cifs security modify -vserver netapp -smb2-enabled-for-dc-connections system-default

----

SMB1 / 2 abd 2 as default

vserver cifs security modify -vserver netapp -smb1-enabled-for-dc-connections true

vserver cifs security modify -vserver netapp -smb2-enabled-for-dc-connections system-default

 

 

Last question, given the concern with this latest ransomware and SMB1, should SMB1 as it pertains to the client connections, also be disabled on the NetApp, and if so, how?

i think netapp controllers not affected. if you sure that no old client or application need smb1 you can dissable smb1 but i think is not necessary.

View solution in original post

MattT
NetApp
‎2017-05-22 03:51 PM
In response to skneo

It looks like the questions have been answered already.  I just wanted to make you aware that there is a bit of additional info on ONTAP and SMB 1.0 that can be had at the below link as long as you have a NetApp support site login.

 

https://kb.netapp.com/support/s/article/ka61A0000008a55/Is-it-possible-to-disable-SMB-1-0-in-ONTAP

 

0 Kudos

kds86
‎2017-05-23 05:31 AM
In response to MattT

Thanks Matt. Between this post and the latest reply to my support incident I think I have the answers I need.

 

I did try to access the link you provided but receive a message stating, "Sorry, you do not have access to NetApp's CRM (CE/PE) or Knowledge base."

I had the same problem when trying to access a link the support tech provided. In the end he simply attached a text file with the contents of the article.

 

0 Kudos
Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

View All
NetApp Insights to Action
I2A Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public