Solved: Re: CIFS not joining AD domain

jha71 · ‎2016-10-24

Hello,

Follow problem with ONTAP 9 and FAS2552

cl1::vserver cifs> dns

cl1::vserver services name-service dns> show

Name

Vserver State Domains Servers

--------------- --------- ----------------------------------- ----------------

cl1 enabled gym-hksb.local 10.30.253.1,

10.30.253.3

nas enabled gym-hksb.local 10.30.253.1,

10.30.253.3

2 entries were displayed.

cl1::vserver services name-service dns> cifs

cl1::vserver cifs> create -cifs-server file02 -domain gym-hksb.local -ou CN=Computers

In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the

"CN=Computers" container within the "GYM-HKSB.LOCAL" domain.

Enter the user name: administrator

Enter the password:

Error: Machine account creation procedure failed

[ 1002] Loaded the preliminary configuration.

[ 1730] Created a machine account in the domain

[ 1732] Successfully connected to ip 10.30.253.1, port 445 using

TCP

[ 1833] Unable to connect to LSA service on dc01.gym-hksb.local

(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)

[ 1835] Successfully connected to ip 10.30.253.3, port 445 using

TCP

[ 1937] Unable to connect to LSA service on dc02.gym-hksb.local

(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)

[ 1937] No servers available for MS_LSA, vserver: 4, domain:

gym-hksb.local.

**[ 1937] FAILURE: Unable to make a connection

** (LSA:GYM-HKSB.LOCAL), result: 6940

[ 1937] Could not find Windows SID

'S-1-5-21-1131981276-2882716370-3949356162-512'

[ 1944] Deleted existing account

'CN=FILE02,CN=Computers,DC=gym-hksb,DC=local'

Error: command failed: Failed to create the Active Directory machine account "FILE02". Reason: SecD Error: no server available.

ping to Domain successful

time zone on Domain and Netapp correct

Any idea to solve this?

Thanks,

Jürgen

jha71 · ‎2016-11-10

The Problem was DC related. Our config as follow:

Hyper-V with DC role. It seems thats not supported. Can anyone confirm this?

We created a new DC (VM) and the Domain join was successful without any Issue.

View solution in original post

Naveenpusuluru · ‎2016-10-24

Hi @jha71

It might be the issue with the login account you are using. Does user account have admin privalages to active directory. You need admin privalages to add Netapp vserever to active directory domain.

jha71 · ‎2016-10-24

Hi,

sure I use the Domain administrator Account.

KR

Naveenpusuluru · ‎2016-10-24

Please let me know the result of this ... 🙂

Naveenkumar Pusuluru

Storage lead | C3i Healthcare connections

jha71 · ‎2016-10-24

DC is reachable
DNS is configured
time zone is correct

cl1::vserver cifs> create -cifs-server file02 -domain gym-hksb.local -ou CN=Computers

In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers"
container within the "GYM-HKSB.LOCAL" domain.

Enter the user name: administrator

Enter the password:

Error: Machine account creation procedure failed
[ 86] Loaded the preliminary configuration.
[ 121] Created a machine account in the domain
[ 122] Successfully connected to ip 10.30.253.1, port 445 using
TCP
[ 123] Unable to connect to LSA service on dc01.gym-hksb.local
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 123] Successfully connected to ip 10.30.253.3, port 445 using
TCP
[ 124] Unable to connect to LSA service on dc02.gym-hksb.local
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERR
OR)
[ 124] No servers available for MS_LSA, vserver: 4, domain:
gym-hksb.local.
**[ 124] FAILURE: Unable to make a connection
** (LSA:GYM-HKSB.LOCAL), result: 6940
[ 124] Could not find Windows SID
'S-1-5-21-1131981276-2882716370-3949356162-512'
[ 131] Deleted existing account
'CN=FILE02,CN=Computers,DC=gym-hksb,DC=local'

Error: command failed: Failed to create the Active Directory machine account "FILE02". Reason: SecD Error: no server available.

cl1::vserver cifs> ping -node cl1-0
cl1-01 cl1-02
cl1::vserver cifs> ping -node cl1-01 -destination
Destination
cl1::vserver cifs> ping -node cl1-01 -destination GYM-HKSB.LOCAL
GYM-HKSB.LOCAL is alive

cl1::vserver cifs> dns show
Name
Vserver State Domains Servers
--------------- --------- ----------------------------------- ----------------
cl1 enabled gym-hksb.
local 10.30.253.1,
10.30.253.3
nas enabled gym-hksb.local 10.30.253.1,
10.30.253.3
2 entries were displayed.

cl1::vserver cifs> network interface show
Logical Status Network Current Current Is
Vserver Interface Admin/Oper Address/Mask Node Port Home
----------- ---------- ---------- ------------------ ------------- ------- ----
Cluster
cl1-01_clus1 up/up 169.254.141.0/16 cl1-01 e0e true
cl1-01_clus2 up/up 169.254.239.201/16 cl1-01 e0f true
cl1-02_clus1 up/up 169.254.175.70/16 cl1-02 e0e true
cl1-02_clus2 up/up 169.254.53.54/16 cl1-02 e0f true
cl1
cl1-01_mgmt1 up/up 10.30.253.51/16 cl1-01 e0M true
cl1-02_mgmt1 up/up 10.30.25
3.52/16 cl1-02 e0M true
cluster_mgmt up/up 10.30.253.50/16 cl1-01 e0M true
nas
nas_lif up/up 10.30.253.55/16 cl1-01 a0a true
8 entries were displayed.

cl1::vserver cifs> system date show
Node Date Time zone
--------- ------------------------- -------------------------
cl1-01 10/24/2016 18:20:11 Europe/Berlin
+02:00
cl1-02 10/24/2016 18:20:11 Europe/Berlin
+02:00
2 entries were displayed.

cl1::vserver cifs>

same time on AD

C:\Users\Administrator.GYM-HKSB>net time \\dc01
Aktuelle Zeit auf \\dc01 ist 24.10.2016 18:20:37.

event log show

cl1::vserver cifs> event log show -time >4m
Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
10/24/2016 18:26:40 cl1-01           ERROR         secd.conn.auth.failure: Vserver (nas) could not make a connection over the network to server (10.30.253.3) via interface 10.30.253.55. Error: Connection reset by peer.
10/24/2016 18:26:40 cl1-01           ERROR         secd.conn.auth.failure: Vserver (nas) could not make a connection over the network to server (10.30.253.1) via interface 10.30.253.55. Error: Connection reset by peer.
10/24/2016 18:25:38 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_kerberos._tcp.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:37 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.dc._msdcs.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:37 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:35 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.Default-First-Site-Name._sites.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:35 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_kerberos._tcp.dc._msdcs.10.30.253.1) for vserver (nas) with error (No server(s) found).

jha71 · ‎2016-10-24

cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination
<Remote InetAddress> Destination
cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination 10.30.253.1
10.30.253.1 is alive

cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination 10.30.253.3
10.30.253.3 is alive

cl1::vserver cifs>

cl1::vserver cifs>
cl1::vserver cifs> dns show
                                                              Name
Vserver         State     Domains                             Servers
--------------- --------- ----------------------------------- ----------------
cl1             enabled   gym-hksb.local                      10.30.253.1,
                                                              10.30.253.3
nas             enabled   gym-hksb.local                      10.30.253.1,
                                                              10.30.253.3
2 entries were displayed.

cl1::vserver cifs>

Naveenpusuluru · ‎2016-10-24

Hi,

Have you tried setting your timezone to closest city to you listed in the link below:

https://library.netapp.com/ecmdocs/ECMP1368852/html/GUID-48AD434D-433B-4208-8D9E-C3696707E20C.html

Before you can join the vserver to the domain you first need to set the date\time and timezone to ensure the systems time is within 5 minutes of your domain controller.

To check the time on your DC you can use the net time command:

C:\>net time \\testdc01
Current time at \\testdc01 is 23/07/2015 6:26:37 PM

The command completed successfully.

Then set the date on your cluster:

cluster1> system date modify -dateandtime 201507231826.48

cluster1> system date show
Node Date Time zone
--------- ------------------------- -------------------------
node1
7/23/2015 18:26:53 +10:00 Australia/Sydney

Then set your timezone

cluster1> timezone America/Vancouver
1 entry modified

cluster1> system date show
Node Date Time zone
--------- ------------------------- -------------------------
node1
7/23/2015 01:27:12 -07:00 America/Vancouver

Also it's worth mentioning that you will need to enter credentials of an Active Directory user account during the cifs setup process that has permissions in Active Directory to create the computer object and join the vserver to the domain.

The minimum required Active Directory permissions for computer objects in your organizational unit are:

http://support.microsoft.com/kb/932455

Create Computer Objects

Reset Password

Read and write Account Restrictions

Validated write to DNS host name

Validated write to service principal name

hope this helps

jha71 · ‎2016-10-24

yes - timezone and date configured without any Issue.

Netapp can reach BOTH domain-controller (TCP ping) but cDOT event log complain no DC Server is reachable 😕

jha71 · ‎2016-11-10

The Problem was DC related. Our config as follow:

Hyper-V with DC role. It seems thats not supported. Can anyone confirm this?

We created a new DC (VM) and the Domain join was successful without any Issue.

BradStoltzTA · ‎2017-07-05

If you have disabled SMBv1 on your domain controllers

you need to make sure you have your SVM set to use SMB2 for Domain Controller Connection.

We disabled SMBv1 across the organisation in order to prevent any potential issues with the recent ransomeware exploits of SMBv1 (Petya and WannaCry)

Run the following command sets the SVM to use SMB2 and disable SMB1, and you will be able to join the AD domain with SMBv1 disabled on the domain controller. (you must be in advanced privelege mode to run this command [set advanced])

cifs security modify -vserver <SVM-Name> -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

Hope this saves someone else the several hours i spent pulling my hair out today trying to resolve

lhqm · ‎2017-07-22

We just encountered a similar issue on CDOT 8.3.2 to do with SMB1. SMB1 was disabled on the DC's a while ago, suddenly last night - netapp lookups failed.

On our 9.1 filer, switching to smb2 only fixed issue, but not possible on our 8.3.2 filer.

reproducable:

cluster::*> diag sec authentication translate -node NodeName -vserver VserverName -win-name AD\username

[ 1 ms] Successfully connected to x.x.x.x:445 using TCP
[    12] Successfully authenticated with DC XXXXX
[    23] Unable to connect to LSA service on XXXX
           (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)

[    90] No servers available for MS_LSA, vserver: 8, domain:
           yyyyy.
**[    90] FAILURE: Unable to make a connection (LSA:YYYY),
**         result: 6940
[    91] Could not find Windows name 'AD\username'
[    91] CIFS user lookup failed

we dug further and it appears it was a symantec network threat protection block (installed on our DC's) due to definition update on July 21 2017:

Livewire18 · ‎2017-10-18

Thank you very much. This saved me a TON of time and worked perfectly.

Magnusvr · ‎2017-12-07

Thanks Brad, you saved my Bacon!

Disabling SMB1 did the trick!

KR

Magnus, Sweden

Siddharth1089 · ‎2019-08-06

After setting

set -privilege advanced , i am unable to run the below command.

qasvm::vserver cifs*> vserver cifs security modify -vserver qasvm -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

Error: invalid argument "-vserver"

My main purpose is to connect AD to Netapp when smb1 is disabled and smb2 is enabled.

Thanks

Siddharth

Livewire18 · ‎2019-08-07

try running it at the cluster level, not the "vserver cifs" level. If you are running it while ssh'ed into the vserver level, you will likely need to just leave the "-vserver vservername" section out, because you are already in the vserver.

cluster::> cifs security modify -vserver <vserver> -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

or

vserver::> cifs security modify -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

Siddharth1089 · ‎2019-08-08

Thanks for the info, i tried the below command but still it failed.

// Login to cluster level

ssh admin@172.22.0.100

nacl01::> set -privilege advanced

nacl01::*> cifs security modify -vserver qasvm -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

Error: invalid argument "-smb1-enabled-for-dc-connections"

nacl01::*> exit

// Login to vserver level

ssh vsadmin@172.22.0.235

qasvm::> cifs security modify -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

Error: invalid argument "-smb1-enabled-for-dc-connections"

I am using NetApp Release 8.3.1P1 and seems the above command not valid for this version. Any other help would be realy helpful for me.

Thanks

Siddharth

Livewire18 · ‎2019-08-08

Sorry, I just realized you really need to upgrade the version of OnTap you are running. 8.3.1P1 is VERY old, and has lots of security concerns. I believe you will need to be at 9.1P8 or higher to disable SMB1 for the DC.

CIFS not joining AD domain

Get ready to power on