Legacy Product Discussions

cifs could not authenticate with DC

VKALVEMULA
18,650 Views

hi

when i run cifs setup on vfiler i get the below eroor:

Lookup of _kerberos._tcp.dc._msdcs.xxxdomain.com failed with DNS server x.x.x.x: Resource temporarily unavailable.

Could not authenticate with domain controller: Cannot resolve KDC for requested realm.

CIFS - unable to log into domain as admin@xxxdomain.com.

this vfiler is in Dev envt, when i get onto that vfiler, i can ping all the DEV servers successfully... but i cannot ping the DNS servers nor our domain.

did any one had same kind of issue?

16 REPLIES 16

martin_fisher
18,602 Views

The fact that you can't ping your DNS/ Domain controller from the the vFiler, if its running in the default ipspace, is why your CIFS setup fails. You need the vFiler to be able to connect the DC to join the domain..

VKALVEMULA
18,603 Views

hi Martin,

thanks for the info..

i also gave the static route, but no luck.

NAS01> ipspace list

Number of ipspaces configured: 1

default-ipspace                   (e0a e0b e0M losk VIF1 VIF1-16 VIF1-31)

=========================================================   

NAS01> vfiler status -r tstvfiler1

tstvfiler1                           running

   ipspace: default-ipspace

   IP address: 172.31.x.x [VIF1-31]

   Path: /vol/tstvfiler1 [/etc]

=========================================================

NAS01> route -s

Routing tables

Internet:

Destination      Gateway            Flags     Refs     Use  Interface

172.31.0.164     2:a0:98:1d:a:26    UHL         0        1  lo

------------------------------------------------------------------------------------------------

( after adding static route )

NAS01> route -s

Routing tables

Internet:

Destination      Gateway            Flags     Refs     Use  Interface

172.31.x.x     172.31.1.1         UHS         1        2  VIF1-31

=========================================================

martin_fisher
18,603 Views

HI Vijay,  is the DC in the same subnet as your DEV servers?

If you ping the DC, do you get a response at all? and vice versa, can the DC ping the IP address of the interface?

Do you have a Firewall in between? Also just checking but do you have a lic installed for CIFS on the Filer as well.

VKALVEMULA
18,603 Views

yes we have firewall in between...VIF1-31 is for our DEV envt and i am creatign vfiler in our dev vfiler itself.

i spoke to my networking guys.. they say that they can see the requests coming from this vfiler and are successful

the above o/p was from node1

if i run the same vfiler setup with same IP on node2.. it works  jus fine.

the only diff b/w node1 and node2 config is ipspace.

NAS01> ipspace list

Number of ipspaces configured: 1

default-ipspace                   (e0a e0b e0M losk VIF1 VIF1-16 VIF1-31)

NAS02> ipspace list

Number of ipspaces configured: 2

default-ipspace                   (e0a e0b e0M losk VIF2 VIF2-16)

dev-tst-ipspace                   (VIF2-31)

martin_fisher
18,603 Views

Hi Vijay, ok. well it looks like a config/network config issue. At a guess I would say you are using multi VIF's, or are you using LACP.

You need to amend the setup of NAS01 and either create the IPSpace add it to the vFiler and setup the routing.. or assign the correct routing to interface VIF1-31, tag it with the correct VLAN and IP address and then make sure that the physical NIC's used in this VIF are connected to the correct ports on your switch and that the ports on the switch are in the correct VLAN's and then test. Also if you are using a HA cluster for the vFiler's then you need identical/correct RC and Network configs otherwise if NAS01/NAS02 performs a takeover, then it will fail. Make sure the config is manually added to each RC file if needed.

If your network guys can see the traffic from VIF1-31, using the current config.. and you can PING the default gateway of this network/VLAN from the CLI of vFiler, then the routing on the vFiler is correct and your network guys need to trace where they have the traffic routing to!

VKALVEMULA
18,603 Views

hi Martin,

in our earlier setup we used to have two separate VIFs, 16 for our Prod ( default ipspace ) and 31 for our Dev .( dev-tst ipspace )

so that issue was, we were not able to export a volume onto both prod and dev

so in order to export a volume onto both prod and dev, we had to combine 16 and 31 into one ip-space  ( default ipspace ) then we were successful.

also, when we had 2 diff ipspaces we were able to successfully able to create vfiler in 16 and 31 network separately and auth with DC successfully.

so the issue rise when we combined 16 and 31 into one ipspace, now when i create vfiler in 31 n/w i am not able to auth with DC.

on node2, we still have 2 separate ipspaces for 16 and 31. and we are able to create vfiler and auth with DC  with no issues.

eventually we will be combining both ipspaces on node2 also. but we need to get the node1 issue resolved first so that we can apply/change same settings on node2 also.

NAS01> ipspace list

Number of ipspaces configured: 1

default-ipspace                   (e0a e0b e0M losk VIF1 VIF1-16 VIF1-31)

NAS02> ipspace list

Number of ipspaces configured: 2

default-ipspace                   (e0a e0b e0M losk VIF2 VIF2-16)

dev-tst-ipspace                   (VIF2-31)

martin_fisher
18,603 Views
in our earlier setup we used to have two separate VIFs, 16 for our Prod ( default ipspace ) and 31 for our Dev .( dev-tst ipspace )

so that issue was, we were not able to export a volume onto both prod and dev

Ok. Yes this correct as the volume has to be assigned to an ipspace and cannot be in more than one.

also, when we had 2 diff ipspaces we were able to successfully able to create vfiler in 16 and 31 network separately and auth with DC successfully.

so the issue rise when we combined 16 and 31 into one ipspace, now when i create vfiler in 31 n/w i am not able to auth with DC.

do your prod and dev use the same DC, or do you have 2 separate domains?

check your routing table for the netapp filer. "route -s" and make sure the traffic for your new vFiler is using the correct route and VIF.

VKALVEMULA
18,603 Views

yes our prod and dev use the same DC.

i checked on the filer.. not sure this particular vfiler is using loopback.

Internet:

Destination      Gateway            Flags     Refs     Use  Interface

172.31.x.x      2:a0:98:1d:a:26    UHL         0        6  lo

martin_fisher
18,603 Views

check the routing table of the actual filer/appliance

VKALVEMULA
10,103 Views

its using the same loop back

one thing i don understand here is why is my vfiler picking up the loopback instead of picking interface

martin_fisher
10,105 Views

Re-run the vFiler config wizard, through FilerView and reconfigure it to use the correct interface. This is the easiest way to do this, as I have spent many hours doing it by the CLI and Filerview is faster for some things.

Once that is done, your vFiler should be using the correct interface in the correct default IP space.

After that check the config of the interface and the VLAN's. If they are correct, and the vFiler Routing table is correct, get your Network guys to check the switchport config... and run pings and traceroutes from the vFiler.

These are the only things that generally affect the vFiler connectivity after spending a while working with them.. If this doesnt work, delete it and start again from a fresh and check configs and spelling/typo's, IP's or incorrect sub net masks..

Hope you get it working.

VKALVEMULA
10,106 Views

i tried.. but no luck

scottgelb
10,103 Views

I would do a webex with support and it should be solved pretty quickly with some Netstat and route checking.

VKALVEMULA
10,103 Views

tried this one too.. but no luck..

support is still looking into this.. why the vfiler is taking that loopback

martin_fisher
10,105 Views

hmm.. either way, you could just delete the vFiler and recreate a new from scratch, new vol0 for the vFiler etc.. or re run the vFiler wizard and change the interface, delete all the routes in the vFiler routing table and try again.

if neither work, there must be a real BURT with your version of ONTAP perhaps.

VKALVEMULA
7,222 Views

i did the same.. but no luck.

Public