Network and Storage Protocols

CIFS not joining AD domain

jha71
53,930 Views

Hello,

 

Follow problem with ONTAP 9 and FAS2552

 

cl1::vserver cifs> dns

 

cl1::vserver services name-service dns> show

                                                              Name

Vserver         State     Domains                             Servers

--------------- --------- ----------------------------------- ----------------

cl1             enabled   gym-hksb.local                      10.30.253.1,

                                                              10.30.253.3

nas             enabled   gym-hksb.local                      10.30.253.1,

                                                              10.30.253.3

2 entries were displayed.

 

cl1::vserver services name-service dns> cifs

 

cl1::vserver cifs> create -cifs-server file02 -domain gym-hksb.local -ou CN=Computers

 

In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the

"CN=Computers" container within the "GYM-HKSB.LOCAL" domain.

 

Enter the user name: administrator

 

Enter the password:

 

Error: Machine account creation procedure failed

  [  1002] Loaded the preliminary configuration.

  [  1730] Created a machine account in the domain

  [  1732] Successfully connected to ip 10.30.253.1, port 445 using

           TCP

  [  1833] Unable to connect to LSA service on dc01.gym-hksb.local

           (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)

  [  1835] Successfully connected to ip 10.30.253.3, port 445 using

           TCP

  [  1937] Unable to connect to LSA service on dc02.gym-hksb.local

           (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)

  [  1937] No servers available for MS_LSA, vserver: 4, domain:

           gym-hksb.local.

**[  1937] FAILURE: Unable to make a connection

**         (LSA:GYM-HKSB.LOCAL), result: 6940

  [  1937] Could not find Windows SID

           'S-1-5-21-1131981276-2882716370-3949356162-512'

  [  1944] Deleted existing account

           'CN=FILE02,CN=Computers,DC=gym-hksb,DC=local'

 

Error: command failed: Failed to create the Active Directory machine account "FILE02". Reason: SecD Error: no server available.

 

 

 

ping to Domain successful

time zone on Domain and Netapp correct

 

Any idea to solve this?

 

Thanks,

Jürgen

1 ACCEPTED SOLUTION

jha71
53,336 Views

The Problem was DC related. Our config as follow:

 

Hyper-V with DC role. It seems thats not supported. Can anyone confirm this?

 

We created a new DC (VM) and the Domain join was successful without any Issue.  Cat Happy

 

 

View solution in original post

16 REPLIES 16

Naveenpusuluru
53,304 Views

Hi @jha71

 

It might be the issue with the login account you are using. Does user account have admin privalages to active directory. You need admin privalages to add Netapp vserever to active directory domain.

jha71
53,302 Views

Hi,

 

sure I use the Domain administrator Account.

 

KR

Naveenpusuluru
53,300 Views

Please let me know the result of this ... 🙂

 

Naveenkumar Pusuluru

Storage lead | C3i Healthcare connections

jha71
53,282 Views

DC is reachable
DNS is configured
time zone is correct


cl1::vserver cifs> create -cifs-server file02 -domain gym-hksb.local -ou CN=Computers

In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers"
container within the "GYM-HKSB.LOCAL" domain.

Enter the user name: administrator

Enter the password:

Error: Machine account creation procedure failed
[ 86] Loaded the preliminary configuration.
[ 121] Created a machine account in the domain
[ 122] Successfully connected to ip 10.30.253.1, port 445 using
TCP
[ 123] Unable to connect to LSA service on dc01.gym-hksb.local
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 123] Successfully connected to ip 10.30.253.3, port 445 using
TCP
[ 124] Unable to connect to LSA service on dc02.gym-hksb.local
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERR
OR)
[ 124] No servers available for MS_LSA, vserver: 4, domain:
gym-hksb.local.
**[ 124] FAILURE: Unable to make a connection
** (LSA:GYM-HKSB.LOCAL), result: 6940
[ 124] Could not find Windows SID
'S-1-5-21-1131981276-2882716370-3949356162-512'
[ 131] Deleted existing account
'CN=FILE02,CN=Computers,DC=gym-hksb,DC=local'

Error: command failed: Failed to create the Active Directory machine account "FILE02". Reason: SecD Error: no server available.

cl1::vserver cifs> ping -node cl1-0
cl1-01 cl1-02
cl1::vserver cifs> ping -node cl1-01 -destination
Destination
cl1::vserver cifs> ping -node cl1-01 -destination GYM-HKSB.LOCAL
GYM-HKSB.LOCAL is alive

cl1::vserver cifs> dns show
Name
Vserver State Domains Servers
--------------- --------- ----------------------------------- ----------------
cl1 enabled gym-hksb.
local 10.30.253.1,
10.30.253.3
nas enabled gym-hksb.local 10.30.253.1,
10.30.253.3
2 entries were displayed.

cl1::vserver cifs> network interface show
Logical Status Network Current Current Is
Vserver Interface Admin/Oper Address/Mask Node Port Home
----------- ---------- ---------- ------------------ ------------- ------- ----
Cluster
cl1-01_clus1 up/up 169.254.141.0/16 cl1-01 e0e true
cl1-01_clus2 up/up 169.254.239.201/16 cl1-01 e0f true
cl1-02_clus1 up/up 169.254.175.70/16 cl1-02 e0e true
cl1-02_clus2 up/up 169.254.53.54/16 cl1-02 e0f true
cl1
cl1-01_mgmt1 up/up 10.30.253.51/16 cl1-01 e0M true
cl1-02_mgmt1 up/up 10.30.25
3.52/16 cl1-02 e0M true
cluster_mgmt up/up 10.30.253.50/16 cl1-01 e0M true
nas
nas_lif up/up 10.30.253.55/16 cl1-01 a0a true
8 entries were displayed.

cl1::vserver cifs> system date show
Node Date Time zone
--------- ------------------------- -------------------------
cl1-01 10/24/2016 18:20:11 Europe/Berlin
+02:00
cl1-02 10/24/2016 18:20:11 Europe/Berlin
+02:00
2 entries were displayed.

cl1::vserver cifs>

 

same time on AD

 

C:\Users\Administrator.GYM-HKSB>net time \\dc01
Aktuelle Zeit auf \\dc01 ist 24.10.2016 18:20:37.

 

 event log show

 

 

cl1::vserver cifs> event log show -time >4m
Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
10/24/2016 18:26:40 cl1-01           ERROR         secd.conn.auth.failure: Vserver (nas) could not make a connection over the network to server (10.30.253.3) via interface 10.30.253.55. Error: Connection reset by peer.
10/24/2016 18:26:40 cl1-01           ERROR         secd.conn.auth.failure: Vserver (nas) could not make a connection over the network to server (10.30.253.1) via interface 10.30.253.55. Error: Connection reset by peer.
10/24/2016 18:25:38 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_kerberos._tcp.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:37 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.dc._msdcs.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:37 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:35 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.Default-First-Site-Name._sites.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:35 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_kerberos._tcp.dc._msdcs.10.30.253.1) for vserver (nas) with error (No server(s) found).

 

jha71
53,276 Views

cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination
  <Remote InetAddress>        Destination
cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination 10.30.253.1
10.30.253.1 is alive

cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination 10.30.253.3
10.30.253.3 is alive

cl1::vserver cifs>

 

 

 

cl1::vserver cifs>
cl1::vserver cifs> dns show
                                                              Name
Vserver         State     Domains                             Servers
--------------- --------- ----------------------------------- ----------------
cl1             enabled   gym-hksb.local                      10.30.253.1,
                                                              10.30.253.3
nas             enabled   gym-hksb.local                      10.30.253.1,
                                                              10.30.253.3
2 entries were displayed.

cl1::vserver cifs>

Naveenpusuluru
53,273 Views

Hi,

 

Have you tried setting your timezone to closest city to you listed in the link below:

 

https://library.netapp.com/ecmdocs/ECMP1368852/html/GUID-48AD434D-433B-4208-8D9E-C3696707E20C.html

 

Before you can join the vserver to the domain you first need to set the date\time and timezone to ensure the systems time is within 5 minutes of your domain controller.

 

To check the time on your DC you can use the net time command:

 

C:\>net time \\testdc01
Current time at \\testdc01 is 23/07/2015 6:26:37 PM

The command completed successfully.

 

Then set the date on your cluster:

 

cluster1> system date modify -dateandtime 201507231826.48

cluster1> system date show
Node      Date                      Time zone
--------- ------------------------- -------------------------
node1
          7/23/2015 18:26:53 +10:00 Australia/Sydney

Then set your timezone


cluster1> timezone America/Vancouver
1 entry modified

cluster1> system date show
Node      Date                      Time zone
--------- ------------------------- -------------------------
node1
          7/23/2015 01:27:12 -07:00 America/Vancouver

 

Also it's worth mentioning that you will need to enter credentials of an Active Directory user account during the cifs setup process that has permissions in Active Directory to create the computer object and join the vserver to the domain.

 

The minimum required Active Directory permissions for computer objects in your organizational unit are:

 

http://support.microsoft.com/kb/932455

 

Create Computer Objects

Reset Password

Read and write Account Restrictions

Validated write to DNS host name

Validated write to service principal name

 

hope this helps

jha71
53,246 Views

yes - timezone and date configured without any Issue.

 

Netapp can reach BOTH domain-controller (TCP ping)  but cDOT event log complain no DC  Server is reachable 😕

 

 

jha71
53,337 Views

The Problem was DC related. Our config as follow:

 

Hyper-V with DC role. It seems thats not supported. Can anyone confirm this?

 

We created a new DC (VM) and the Domain join was successful without any Issue.  Cat Happy

 

 

BradStoltzTA
50,375 Views

If you have disabled SMBv1 on your domain controllers

you need to make sure you have your SVM set to use SMB2 for Domain Controller Connection.

 

We disabled SMBv1 across the organisation in order to prevent any potential issues with the recent ransomeware exploits of SMBv1 (Petya and WannaCry)

 

Run the following command sets the SVM to use SMB2 and disable SMB1, and you will be able to join the AD domain with SMBv1 disabled on the domain controller. (you must be in advanced privelege mode to run this command [set advanced])

 

cifs security modify -vserver <SVM-Name> -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

 

Hope this saves someone else the several hours i spent pulling my hair out today trying to resolve

lhqm
34,951 Views

We just encountered a similar issue on CDOT 8.3.2 to do with SMB1. SMB1 was disabled on the DC's a while ago, suddenly last night - netapp lookups failed.

On our 9.1 filer, switching to smb2 only fixed issue, but not possible on our 8.3.2 filer.

 

reproducable:

 

cluster::*> diag sec authentication translate -node NodeName -vserver VserverName -win-name AD\username

 

 [  1 ms] Successfully connected to x.x.x.x:445 using TCP
  [    12] Successfully authenticated with DC XXXXX
  [    23] Unable to connect to LSA service on XXXX
           (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)

 [    90] No servers available for MS_LSA, vserver: 8, domain:
           yyyyy.
**[    90] FAILURE: Unable to make a connection (LSA:YYYY),
**         result: 6940
  [    91] Could not find Windows name 'AD\username'
  [    91] CIFS user lookup failed

 

we dug further and it appears it was a symantec network threat protection block (installed on our DC's) due to definition update on July 21 2017:

 

                                      

netapp-symantec-ntp-issue.jpg      

Livewire18
34,229 Views

Thank you very much. This saved me a TON of time and worked perfectly. 

Magnusvr
33,842 Views

Thanks Brad, you saved my Bacon! 

Disabling SMB1 did the trick!

 

KR

Magnus, Sweden

Siddharth1089
30,007 Views

After setting 

set -privilege advanced , i am unable to run the below command.

 

qasvm::vserver cifs*>  vserver cifs security modify -vserver qasvm -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

Error: invalid argument "-vserver"

 

My main purpose is to connect AD to Netapp when smb1 is disabled and smb2 is enabled.

 

Thanks

Siddharth

 

Livewire18
29,976 Views

 

try running it at the cluster level, not the "vserver cifs" level. If you are running it while ssh'ed into the vserver level, you will likely need to just leave the "-vserver vservername" section out, because you are already in the vserver. 

 

cluster::> cifs security modify -vserver <vserver> -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

 

or 

 

vserver::> cifs security modify -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

Siddharth1089
29,921 Views

Thanks for the info,  i tried the below command but still it failed.

 

// Login to cluster level

ssh admin@172.22.0.100

nacl01::> set -privilege advanced

nacl01::*> cifs security modify -vserver qasvm -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

Error: invalid argument "-smb1-enabled-for-dc-connections"

 

nacl01::*> exit

 

// Login to vserver level

ssh vsadmin@172.22.0.235

qasvm::> cifs security modify -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true                

Error: invalid argument "-smb1-enabled-for-dc-connections"

 

I am using NetApp Release 8.3.1P1 and seems the above command not valid for this version.  Any other  help would be realy helpful for me.

 

Thanks

Siddharth

 

Livewire18
22,515 Views

Sorry, I just realized you really need to upgrade the version of OnTap you are running. 8.3.1P1 is VERY old, and has lots of security concerns. I believe you will need to be at 9.1P8 or higher to disable SMB1 for the DC.

Public