Network and Storage Protocols
Network and Storage Protocols
Hi,
We have a filer member of a Active Directory Domain. We want to give access at a computer account. When we try to connect with the LocalSystem account, we have this error when we execute this command in the localsystem context:
net use z: \\fileb-cifs\testcifs
"System error 1808 has occurred. The account used is a computer account. Use your global user account or local user account to access this server."
On the filer console, we have activate "options cifs.trace_login on" and we can see thoses errors messages :
Tue May 1 15:23:28 EDT [filerB: auth.trace.authenticateUser.loginTraceIP:info]: AUTH: Login attempt by user server-wk8-r2$ of domain MYDOMAIN from client machine 10.1.1.20 (server-wk8-r2).
Tue May 1 15:23:28 EDT [filerB: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- attempting authentication with domain controller \\MYDC.
Tue May 1 15:23:28 EDT [filerB: auth.trace.authenticateUser.loginRejected:info]: AUTH: Login attempt by user rejected by the domain controller with error 0xc0000199: STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT.
Tue May 1 15:23:28 EDT [filerB: auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: Delaying the response by 5 seconds due to continuous failed login attempts by user server-wk8-r2$ of domain MYDOMAIN from client machine 10.1.1.20.
The computer name in AD is filerb and we have a Netbios Alias for the name filerb-cifs in the \\filerb\etc$\cifs_nbalias.cfg file.
We don't have this error if we execute this command "net use z: \\filerb\testcifs". But, for some kind of reasons, we have to use the Alias name "filerb-cifs".
Does somebody have and idea?
Thanks,
Réal Waite
Solved! See The Solution
Hi Andrey,
Yes, it was that and the fact that we did not use the same IP address of the AD computer object and the IP address for the CIFS communication.
AD Computer Object name = filerb and IP = 10.1.1.1 (In fact, it this the management IP Adresse)
DNS Name for CIFS = filerb-cifs and IP = 10.1.1.2
So, Keberos coud not be use to authenticate the computer account.
Solution for us, change the AD Computer Object for filerb-cifs and IP = 10.1.1.2
Thanks to make me go into the right direction.
Most likely because in one case it is using Keberos and in another case - NTLM.
Does this kb help?
https://kb.netapp.com/support/index?page=content&id=2013374
Notice, that is just workaround, not a solution. It is better to investigate why accessing alias falls back to NTLM and fix the root cause. Do you have the same alias defined in DNS?
Another consideration - this is indication of some service on host accessing files on filer. Is it really intentional? From security and auditing PoV it would be better to run service under named account in this case; this would allow you to set ACLs and audit access.
Message was edited by: Andrey Borzenkov
Hi Andrey,
Yes, it was that and the fact that we did not use the same IP address of the AD computer object and the IP address for the CIFS communication.
AD Computer Object name = filerb and IP = 10.1.1.1 (In fact, it this the management IP Adresse)
DNS Name for CIFS = filerb-cifs and IP = 10.1.1.2
So, Keberos coud not be use to authenticate the computer account.
Solution for us, change the AD Computer Object for filerb-cifs and IP = 10.1.1.2
Thanks to make me go into the right direction.
Perfect,
Thanks
Réal Waite