NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

Network and Storage Protocols

CIFS shares inaccessible when disabling ntlmv2

E1590-nas
1,578 Views

I'm trying to setup my svm server to talk Kerberos only (v9.15). My environment is setup to use aes-128 and aes-256 encryption and svm server has been joined to the domain. However, when I run command ...-lm-compatibility-level krb, ALL of my CIFS shares become inaccessible, I get re-prompted to enter my AD credentials and despite entering my credentials correctly, I never get in. I end up reverting back to ...-lm-compatibility-level ntlmv2-krb. Has anyone been able to set their CIFS shares to run krb traffic only? 

Added context: CIFS shares need to be visible to Windows Server 2022 server.

1 REPLY 1

dbenadib
955 Views

Hi,

 

Why Access usually breaks with krb only:

• Kerberos relies on DNS and SPNs: If CIFS clients connect using an IP address or a name without a proper DNS PTR record, Kerberos cannot validate the SPN, and authentication fails. NTLM works in these cases, which is why reverting to ntlmv2-krb restores access.

 

• Dynamic DNS updates: ONTAP does not create DNS entries by default unless dynamic DNS is enabled. Without these, Kerberos tickets cannot be issued correctly.

• AES encryption negotiation: ONTAP supports AES-128 and AES-256 for Kerberos, but the client determines the algorithm. Ensure AES is enabled on the CIFS server (is-aes-encryption-enabled true).

 

• Windows Group Policy: Kerberos-only environments often require GPO adjustments to enforce Kerberos and SMB signing/encryption.

 

I would first verify the following :

  • Aes is enabled:

vserver cifs security modify -vserver <SVM> -lm-compatibility-level krb \

-kerberos-clock-skew 5 -kerberos-ticket-age 10 \

-kerberos-renew-age 7 -kerberos-kdc-timeout 3 \

-is-aes-encryption-enabled true

 

• Verify DNS: Ensure forward and reverse DNS records exist for the CIFS server name.

• SPNs: Confirm SPNs for CIFS are registered in AD (e.g., HOST/cifs-server.domain).

 

Hope that Help

 

David

Public