We have a filer member of a Active Directory Domain. We want to give access at a computer account. When we try to connect with the LocalSystem account, we have this error when we execute this command in the localsystem context:
net use z: \\fileb-cifs\testcifs
"System error 1808 has occurred. The account used is a computer account. Use your global user account or local user account to access this server."
On the filer console, we have activate "options cifs.trace_login on" and we can see thoses errors messages :
Tue May 1 15:23:28 EDT [filerB: auth.trace.authenticateUser.loginTraceIP:info]: AUTH: Login attempt by user server-wk8-r2$ of domain MYDOMAIN from client machine 10.1.1.20 (server-wk8-r2).
Tue May 1 15:23:28 EDT [filerB: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- attempting authentication with domain controller \\MYDC.
Tue May 1 15:23:28 EDT [filerB: auth.trace.authenticateUser.loginRejected:info]: AUTH: Login attempt by user rejected by the domain controller with error 0xc0000199: STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT.
Tue May 1 15:23:28 EDT [filerB: auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: Delaying the response by 5 seconds due to continuous failed login attempts by user server-wk8-r2$ of domain MYDOMAIN from client machine 10.1.1.20.
The computer name in AD is filerb and we have a Netbios Alias for the name filerb-cifs in the \\filerb\etc$\cifs_nbalias.cfg file.
We don't have this error if we execute this command "net use z: \\filerb\testcifs". But, for some kind of reasons, we have to use the Alias name "filerb-cifs".
Notice, that is just workaround, not a solution. It is better to investigate why accessing alias falls back to NTLM and fix the root cause. Do you have the same alias defined in DNS?
Another consideration - this is indication of some service on host accessing files on filer. Is it really intentional? From security and auditing PoV it would be better to run service under named account in this case; this would allow you to set ACLs and audit access.