Ran into a strange problem here, hoping someone can point me in the right direction. We have two Windows 2008 R2 servers that are unable to access a UNC path to an SVM when using the DNS name of the lif. The connection works fine if connecting to the ip address. From these windows servers I can connect to shares by name on other NAS products, and random Windows clients.
From these two servers
\\10.1.1.1\share$ works (assume 10.1.1.1 is address of lif)
From other Windows clients \\svm\share$ works
I checked that the Windows firewall is disabled, credentials cache is empty, time is in sync with AD. Flushed the DNS cache too.
So it appears I only have a problem connecting to Netapp CIFS share by name from these two servers. Connecting by ip works, so doesn't look like firewall is blocking me.
I know there is a difference in authentication when connecting my address rather than by name, but the details are not clear to me. Something about NTLM vs Kerberos.
Have you checked the DNS server IP configured on your windows server, then verified that a DNS A and PTR records for the vserver exist on that DNS server in the correct DNS zone. IE from your server can you do a forward and reverse lookup of the vserver via hostname, fqnd and IP address using nslookup on your windows server? If so and DNS records exist then it could be a group policy issue.
Please note that the default security policy in Windows Server 2008 R2 could be preventing access to the CIFS shares depending on the security configuration on the storage.
This turned out to be an issue with the server having only SMB 1.0 enabled and the filer requiring Kerberos authentication and SMB signing. Unfortunately I got this information second hand and am not exactly sure how this was resolved. Apparently some application running on the server only worked with SMB 1.0, but that sounds like a misunderstanding to me.
I would advise checking there is an AD group policy that sets the SMB signing client configuration in combination with setting the a default authentication security level for you CIFS vserver. You would need to determine the correct configuration for your environment that enables all clients to connect based on the operating systems you are using. Some links to the docs:
Also if you are accessing the CIFS vserver via a DNS CName alias ensure you have set an SPN on the AD computer object to ensure clients are able to authenticate via Kerberos rather than reverting to NTLM.
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.