Network and Storage Protocols

NetApp CIFs authentication error on our Windows 2008 domain controller

marcconeley
31,426 Views

Hi,

Is anyone else experiencing this issue or knows how to solve it? Its been driving me crazy for some months now. This authentication error message is logged regularly on our Windows 2008 SP2 domain controller:

Log Name:      System

Source:        NETLOGON

Date:          25/05/2010 21:37:26

Event ID:      5722

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      dc.mydomain.com

Description:

The session setup from the computer FILERNAME  failed to authenticate. The name(s) of the account(s) referenced in the security database is FILERNAME$.  The following error occurred:

The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="NETLOGON" />

    <EventID Qualifiers="0">5722</EventID>

    <Level>2</Level>

    <Task>0</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2010-05-25T19:37:26.000Z" />

    <EventRecordID>61626</EventRecordID>

    <Channel>System</Channel>

    <Computer>dc.mydomain.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data>FILERNAME</Data>

    <Data>FILERNAME$</Data>

    <Data>%%1265</Data>

    <Binary>880300C0</Binary>

  </EventData>

</Event>

Further info:

  • We are running FAS2020s with OnTap 7.3.2P2
  • We have CIFs shares mounted directly on the filers.
  • Our domain is currently a mixed-mode forest, and we have a 2003 & 2008 DC located at this site.
  • This error message is only logged on the 2008 DC (not the 2003 one).
  • CIFs access to the filers is working fine though, and the filer does have a computer account registered in our Active Directory (2 computer accounts actually - 1 for controllerA and 1 for controllerB).


We are planning on replacing the last 2003 DC we have with a 2008 one - therefore this problem is important to solve. If our filer really has authentication issues with 2008 DCs, then when we scrap our last 2003 DC which its binding too we'll likely encounter a whole bag of issues.

- Is anyone else running CIFs shares off the filers in a 2008 DC only environment?

- Are there any special NTLM/kerberos authentication tweaks that I should be making with a 2008 DC to allow it to work nicely with the slightly older "Windows 2000 mode CIFs" on the filers? (I imagine it's a local group policy on the 2008 DC which can be tweaked to allow this?).

Help much appreciated!

Thanks,

Marc



5 REPLIES 5

olaf
31,292 Views

Here's a few tips:

If you have Windows 2008 DC's in your network, make sure you use them as your preferred DC's

(cifs prefdc) before you (re)run cifs setup. If you rerun, remove the Filer's account from the AD first.

That way, the setup procedure recognizes it's under Windows 2008 as well, and can adjust the

Filer account registration.

Do not modify the Pre-Windows 2000 compatibility group from defaults. It's needed by the Filer to map IFS

users to unix users (which is an old left-over from pure NFS times and helps in multiprotocol situations).

Also make sure your ONTAP is uptodate - 7.2.4 minimum for Windows 2008 Domains:

http://now.netapp.com/NOW/knowledge/docs/olio/guides/ntsp.shtml

Cheers,

O.

netapp
31,292 Views

Hello there,

we got the same problem.

Is it possible to solve the problem without rerunning cifs setup?

I tried to update the filer´s AD-account (cifs adupdate) und password (cifs changefilerpwd) after setting Win2008-DC as preferred DC. Filer is running Ontap 8.

Do we have to expect any further problems?

Thanks in advance!!

Greets

Julian Füller

kritoglu
31,293 Views

I had the same issue at customer side.

Solution was the following NetApp-KB:

https://kb.netapp.com/support/index?page=content&id=2013862

Regads,

Anastasios Kritoglu

Tanveer
30,462 Views

I had the same problem after migrating the windows 2003 DC to Windows 2008 DC.  Ontap 7.2.3 is not compatible with the windows 2008 DC.

you have to upgrade ontap atleast 7.2.4 or use windows 2003 DC.

 

check the compatibility in netapp site.

Giedriusan
29,766 Views

hi,

Similar issue we have when implementing DC 2012 .It can be related Wins configuration on DC.

if you get  error like:

 

CIFS: Warning for server \\xxxx: Could not make TCP connection.
CIFS: Error for server \\xxxx: Error while negotiating protocol with server No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS. 

 

And  from Netapp  console:

cifs domaininfo

 

Not currently connected to any DCs
Preferred Addresses:
                          None
Favored Addresses:
                          xxxxxxx  PDCBROKEN
                          xxxxxxx  PDCBROKEN
                          xxxxxxx  PDCBROKEN
Other Addresses:
                          None

Connected AD LDAP Server: \\xxxxxx

 

  1. Doing option  cifs.netbios_over_tcp.enable option off. cifs  resetdc. cifs domaininfo. All is working.

 

Public