Network and Storage Protocols
Network and Storage Protocols
Hello,
Follow problem with ONTAP 9 and FAS2552
cl1::vserver cifs> dns
cl1::vserver services name-service dns> show
Name
Vserver State Domains Servers
--------------- --------- ----------------------------------- ----------------
cl1 enabled gym-hksb.local 10.30.253.1,
10.30.253.3
nas enabled gym-hksb.local 10.30.253.1,
10.30.253.3
2 entries were displayed.
cl1::vserver services name-service dns> cifs
cl1::vserver cifs> create -cifs-server file02 -domain gym-hksb.local -ou CN=Computers
In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the
"CN=Computers" container within the "GYM-HKSB.LOCAL" domain.
Enter the user name: administrator
Enter the password:
Error: Machine account creation procedure failed
[ 1002] Loaded the preliminary configuration.
[ 1730] Created a machine account in the domain
[ 1732] Successfully connected to ip 10.30.253.1, port 445 using
TCP
[ 1833] Unable to connect to LSA service on dc01.gym-hksb.local
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 1835] Successfully connected to ip 10.30.253.3, port 445 using
TCP
[ 1937] Unable to connect to LSA service on dc02.gym-hksb.local
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 1937] No servers available for MS_LSA, vserver: 4, domain:
gym-hksb.local.
**[ 1937] FAILURE: Unable to make a connection
** (LSA:GYM-HKSB.LOCAL), result: 6940
[ 1937] Could not find Windows SID
'S-1-5-21-1131981276-2882716370-3949356162-512'
[ 1944] Deleted existing account
'CN=FILE02,CN=Computers,DC=gym-hksb,DC=local'
Error: command failed: Failed to create the Active Directory machine account "FILE02". Reason: SecD Error: no server available.
ping to Domain successful
time zone on Domain and Netapp correct
Any idea to solve this?
Thanks,
Jürgen
Solved! See The Solution
The Problem was DC related. Our config as follow:
Hyper-V with DC role. It seems thats not supported. Can anyone confirm this?
We created a new DC (VM) and the Domain join was successful without any Issue.
Hi @jha71
It might be the issue with the login account you are using. Does user account have admin privalages to active directory. You need admin privalages to add Netapp vserever to active directory domain.
Hi,
sure I use the Domain administrator Account.
KR
Please let me know the result of this ... 🙂
Naveenkumar Pusuluru
Storage lead | C3i Healthcare connections
DC is reachable
DNS is configured
time zone is correct
cl1::vserver cifs> create -cifs-server file02 -domain gym-hksb.local -ou CN=Computers
In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers"
container within the "GYM-HKSB.LOCAL" domain.
Enter the user name: administrator
Enter the password:
Error: Machine account creation procedure failed
[ 86] Loaded the preliminary configuration.
[ 121] Created a machine account in the domain
[ 122] Successfully connected to ip 10.30.253.1, port 445 using
TCP
[ 123] Unable to connect to LSA service on dc01.gym-hksb.local
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 123] Successfully connected to ip 10.30.253.3, port 445 using
TCP
[ 124] Unable to connect to LSA service on dc02.gym-hksb.local
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERR
OR)
[ 124] No servers available for MS_LSA, vserver: 4, domain:
gym-hksb.local.
**[ 124] FAILURE: Unable to make a connection
** (LSA:GYM-HKSB.LOCAL), result: 6940
[ 124] Could not find Windows SID
'S-1-5-21-1131981276-2882716370-3949356162-512'
[ 131] Deleted existing account
'CN=FILE02,CN=Computers,DC=gym-hksb,DC=local'
Error: command failed: Failed to create the Active Directory machine account "FILE02". Reason: SecD Error: no server available.
cl1::vserver cifs> ping -node cl1-0
cl1-01 cl1-02
cl1::vserver cifs> ping -node cl1-01 -destination
Destination
cl1::vserver cifs> ping -node cl1-01 -destination GYM-HKSB.LOCAL
GYM-HKSB.LOCAL is alive
cl1::vserver cifs> dns show
Name
Vserver State Domains Servers
--------------- --------- ----------------------------------- ----------------
cl1 enabled gym-hksb.
local 10.30.253.1,
10.30.253.3
nas enabled gym-hksb.local 10.30.253.1,
10.30.253.3
2 entries were displayed.
cl1::vserver cifs> network interface show
Logical Status Network Current Current Is
Vserver Interface Admin/Oper Address/Mask Node Port Home
----------- ---------- ---------- ------------------ ------------- ------- ----
Cluster
cl1-01_clus1 up/up 169.254.141.0/16 cl1-01 e0e true
cl1-01_clus2 up/up 169.254.239.201/16 cl1-01 e0f true
cl1-02_clus1 up/up 169.254.175.70/16 cl1-02 e0e true
cl1-02_clus2 up/up 169.254.53.54/16 cl1-02 e0f true
cl1
cl1-01_mgmt1 up/up 10.30.253.51/16 cl1-01 e0M true
cl1-02_mgmt1 up/up 10.30.25
3.52/16 cl1-02 e0M true
cluster_mgmt up/up 10.30.253.50/16 cl1-01 e0M true
nas
nas_lif up/up 10.30.253.55/16 cl1-01 a0a true
8 entries were displayed.
cl1::vserver cifs> system date show
Node Date Time zone
--------- ------------------------- -------------------------
cl1-01 10/24/2016 18:20:11 Europe/Berlin
+02:00
cl1-02 10/24/2016 18:20:11 Europe/Berlin
+02:00
2 entries were displayed.
cl1::vserver cifs>
same time on AD
C:\Users\Administrator.GYM-HKSB>net time \\dc01
Aktuelle Zeit auf \\dc01 ist 24.10.2016 18:20:37.
event log show
cl1::vserver cifs> event log show -time >4m
Time Node Severity Event
------------------- ---------------- ------------- ---------------------------
10/24/2016 18:26:40 cl1-01 ERROR secd.conn.auth.failure: Vserver (nas) could not make a connection over the network to server (10.30.253.3) via interface 10.30.253.55. Error: Connection reset by peer.
10/24/2016 18:26:40 cl1-01 ERROR secd.conn.auth.failure: Vserver (nas) could not make a connection over the network to server (10.30.253.1) via interface 10.30.253.55. Error: Connection reset by peer.
10/24/2016 18:25:38 cl1-01 ERROR secd.dns.srv.lookup.failed: DNS server failed to look up service (_kerberos._tcp.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:37 cl1-01 ERROR secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.dc._msdcs.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:37 cl1-01 ERROR secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:35 cl1-01 ERROR secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.Default-First-Site-Name._sites.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:35 cl1-01 ERROR secd.dns.srv.lookup.failed: DNS server failed to look up service (_kerberos._tcp.dc._msdcs.10.30.253.1) for vserver (nas) with error (No server(s) found).
cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination
<Remote InetAddress> Destination
cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination 10.30.253.1
10.30.253.1 is alive
cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination 10.30.253.3
10.30.253.3 is alive
cl1::vserver cifs>
cl1::vserver cifs>
cl1::vserver cifs> dns show
Name
Vserver State Domains Servers
--------------- --------- ----------------------------------- ----------------
cl1 enabled gym-hksb.local 10.30.253.1,
10.30.253.3
nas enabled gym-hksb.local 10.30.253.1,
10.30.253.3
2 entries were displayed.
cl1::vserver cifs>
Hi,
Have you tried setting your timezone to closest city to you listed in the link below:
https://library.netapp.com/ecmdocs/ECMP1368852/html/GUID-48AD434D-433B-4208-8D9E-C3696707E20C.html
Before you can join the vserver to the domain you first need to set the date\time and timezone to ensure the systems time is within 5 minutes of your domain controller.
To check the time on your DC you can use the net time command:
C:\>net time \\testdc01
Current time at \\testdc01 is 23/07/2015 6:26:37 PM
The command completed successfully.
Then set the date on your cluster:
cluster1> system date modify -dateandtime 201507231826.48
cluster1> system date show
Node Date Time zone
--------- ------------------------- -------------------------
node1
7/23/2015 18:26:53 +10:00 Australia/Sydney
Then set your timezone
cluster1> timezone America/Vancouver
1 entry modified
cluster1> system date show
Node Date Time zone
--------- ------------------------- -------------------------
node1
7/23/2015 01:27:12 -07:00 America/Vancouver
Also it's worth mentioning that you will need to enter credentials of an Active Directory user account during the cifs setup process that has permissions in Active Directory to create the computer object and join the vserver to the domain.
The minimum required Active Directory permissions for computer objects in your organizational unit are:
http://support.microsoft.com/kb/932455
Create Computer Objects
Reset Password
Read and write Account Restrictions
Validated write to DNS host name
Validated write to service principal name
hope this helps
yes - timezone and date configured without any Issue.
Netapp can reach BOTH domain-controller (TCP ping) but cDOT event log complain no DC Server is reachable 😕
The Problem was DC related. Our config as follow:
Hyper-V with DC role. It seems thats not supported. Can anyone confirm this?
We created a new DC (VM) and the Domain join was successful without any Issue.
If you have disabled SMBv1 on your domain controllers
you need to make sure you have your SVM set to use SMB2 for Domain Controller Connection.
We disabled SMBv1 across the organisation in order to prevent any potential issues with the recent ransomeware exploits of SMBv1 (Petya and WannaCry)
Run the following command sets the SVM to use SMB2 and disable SMB1, and you will be able to join the AD domain with SMBv1 disabled on the domain controller. (you must be in advanced privelege mode to run this command [set advanced])
cifs security modify -vserver <SVM-Name> -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
Hope this saves someone else the several hours i spent pulling my hair out today trying to resolve
We just encountered a similar issue on CDOT 8.3.2 to do with SMB1. SMB1 was disabled on the DC's a while ago, suddenly last night - netapp lookups failed.
On our 9.1 filer, switching to smb2 only fixed issue, but not possible on our 8.3.2 filer.
reproducable:
cluster::*> diag sec authentication translate -node NodeName -vserver VserverName -win-name AD\username
[ 1 ms] Successfully connected to x.x.x.x:445 using TCP
[ 12] Successfully authenticated with DC XXXXX
[ 23] Unable to connect to LSA service on XXXX
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 90] No servers available for MS_LSA, vserver: 8, domain:
yyyyy.
**[ 90] FAILURE: Unable to make a connection (LSA:YYYY),
** result: 6940
[ 91] Could not find Windows name 'AD\username'
[ 91] CIFS user lookup failed
we dug further and it appears it was a symantec network threat protection block (installed on our DC's) due to definition update on July 21 2017:
Thank you very much. This saved me a TON of time and worked perfectly.
Thanks Brad, you saved my Bacon!
Disabling SMB1 did the trick!
KR
Magnus, Sweden
After setting
set -privilege advanced , i am unable to run the below command.
qasvm::vserver cifs*> vserver cifs security modify -vserver qasvm -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
Error: invalid argument "-vserver"
My main purpose is to connect AD to Netapp when smb1 is disabled and smb2 is enabled.
Thanks
Siddharth
try running it at the cluster level, not the "vserver cifs" level. If you are running it while ssh'ed into the vserver level, you will likely need to just leave the "-vserver vservername" section out, because you are already in the vserver.
cluster::> cifs security modify -vserver <vserver> -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
or
vserver::> cifs security modify -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
Thanks for the info, i tried the below command but still it failed.
// Login to cluster level
ssh admin@172.22.0.100
nacl01::> set -privilege advanced
nacl01::*> cifs security modify -vserver qasvm -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
Error: invalid argument "-smb1-enabled-for-dc-connections"
nacl01::*> exit
// Login to vserver level
ssh vsadmin@172.22.0.235
qasvm::> cifs security modify -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
Error: invalid argument "-smb1-enabled-for-dc-connections"
I am using NetApp Release 8.3.1P1 and seems the above command not valid for this version. Any other help would be realy helpful for me.
Thanks
Siddharth
Sorry, I just realized you really need to upgrade the version of OnTap you are running. 8.3.1P1 is VERY old, and has lots of security concerns. I believe you will need to be at 9.1P8 or higher to disable SMB1 for the DC.