Network Storage Protocols Discussions

Highlighted

Ontap 9.3: how to set " LM Compatibility Level" to krb only

Hi,

 

our security guy wants to limit the  LM Compatibility Level to krb only.

Now I tried that. This works fine, if a user is already authenticated in domain and has a kerboeros ticket.

But, Users with fresh logins (f.e. the VSCAN User in the DOMAIN\USER format) can't longer login.

After I set it to ntlmv2-krb, it works again.

Ontap does not accept users in the user@domain format.

 

Any hint?

 

 

Regards..

5 REPLIES

Re: Ontap 9.3: how to set " LM Compatibility Level" to krb only

Hi there,

 

My suggestion would be to open a ticket with our support centre for this query, as it may require more in-depth troubleshooting than would be normal for a message forum like this, it may also involve using and analysing packet captures from the systems, which most customers aren't fans of sharing publicly.

Re: Ontap 9.3: how to set " LM Compatibility Level" to krb only

So When you change the LM Compatibility Level" to krb only then only kerberos authentication is accepted by SVM.

So if client connects to SVM selecting  NTLM authentication then SVM will fail the request. 

 

I dont think the issue is because or the user account rather i think the client is trying to use NTLM authentication when connecting to SVM. Since KRB is the only authentication allowed , client fails to connect. 

 

 

Wheneven client connects to SVM using IP address , only NTLM authentication will happen.  So if LM Compatibility Level" to krb only then those client connections will fail. 

 

If the issue is seen with VSCAN user account , then it could be because of VSCAN connection is not configured for Kerberos.

For Kerberos authentication to work for the AV communication, create a DNS entry[HOST(A) record] for the data LIF used for VSCAN connection and a service principal name[ use setspn -s to add SPN entry] on the DC corresponding to the DNS entry created for the data LIF. Use this name when adding a LIF to the AV Connector. The DNS should be able to return a unique name for each data LIF connected to the AV Connector.

 

Re: Ontap 9.3: how to set " LM Compatibility Level" to krb only

HI,

 

thx. Did you tried  that?

The data LIF has been already configured for kerberos.

The is done by the configuration wizard for the CIFS svm.

But the problerm persists: I can't use an account in kerberos format ( user@fqdn, "myadmin@my-enterprise.com") for the VSCAN-User. 

Users with "Domain\account" only made NTLM.

The command

vserver vscan scanner-pool create -vserver data_SVM|cluster_admin_SVM -
scanner-pool scanner_pool -hostnames Vscan_server_hostnames -privilegedusers
privileged_users

does not allow the kerberos format for "privileged_users".

Try it by yourselve. 

 

 

 

Re: Ontap 9.3: how to set " LM Compatibility Level" to krb only

Hi,

You are correct. 

::> vserver vscan scanner-pool create -vserver svm1 -scanner-pool vijay_pool1 -hostnames xx.xx.xx.xx -privileged-users administrator@naslab.local
Error: command failed: The privileged user name "administrator@naslab.local" is invalid. A valid privileged user name must be in the form "domain-name\user-name".

 

But i dont think we need to add anywhere in the format user@domain. With domain\user Kerberos works well. kerberos is possible if SPN is present for the host principal. 

 

If i have a packet trace i can say why NTLM is selected over Kerberos. 

I would recommend to open a support case to check if the VSCAN LIF's are properly configured with SPN's added for it so that VSCAN can connect to SVM using Kerberos authentication.

 

Re: Ontap 9.3: how to set " LM Compatibility Level" to krb only

My problem was: After I had set LM Compatibility Level to krb only (and restartet the CFIS SVM), I can't longer login using "DOMAIN\USER" at all. Only logins with an valid kerberos ticket are working. Direct logins at the CIFS SVM using "domain\user" won't work. But logins using the UPN are working.

Sorry, I can't cross check this for now, because the CIFS SVM must restarted for this configuration change.

 

With ntlmv2-krb, I can login using DOMAIN\USER an I get the auth-mechanism kerberos.

Checked using "vserver cifs session show -vserver my_cifs_server -fields auth-mechanism,netbios-name,address"

This is my problem. 

 

Can you check this an your device?

 

Forums