Network and Storage Protocols
Network and Storage Protocols
Hi,
Is anyone else experiencing this issue or knows how to solve it? Its been driving me crazy for some months now. This authentication error message is logged regularly on our Windows 2008 SP2 domain controller:
Log Name: System
Source: NETLOGON
Date: 25/05/2010 21:37:26
Event ID: 5722
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: dc.mydomain.com
Description:
The session setup from the computer FILERNAME failed to authenticate. The name(s) of the account(s) referenced in the security database is FILERNAME$. The following error occurred:
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NETLOGON" />
<EventID Qualifiers="0">5722</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-05-25T19:37:26.000Z" />
<EventRecordID>61626</EventRecordID>
<Channel>System</Channel>
<Computer>dc.mydomain.com</Computer>
<Security />
</System>
<EventData>
<Data>FILERNAME</Data>
<Data>FILERNAME$</Data>
<Data>%%1265</Data>
<Binary>880300C0</Binary>
</EventData>
</Event>
Further info:
We are planning on replacing the last 2003 DC we have with a 2008 one - therefore this problem is important to solve. If our filer really has authentication issues with 2008 DCs, then when we scrap our last 2003 DC which its binding too we'll likely encounter a whole bag of issues.
- Is anyone else running CIFs shares off the filers in a 2008 DC only environment?
- Are there any special NTLM/kerberos authentication tweaks that I should be making with a 2008 DC to allow it to work nicely with the slightly older "Windows 2000 mode CIFs" on the filers? (I imagine it's a local group policy on the 2008 DC which can be tweaked to allow this?).
Help much appreciated!
Thanks,
Marc
Here's a few tips:
If you have Windows 2008 DC's in your network, make sure you use them as your preferred DC's
(cifs prefdc) before you (re)run cifs setup. If you rerun, remove the Filer's account from the AD first.
That way, the setup procedure recognizes it's under Windows 2008 as well, and can adjust the
Filer account registration.
Do not modify the Pre-Windows 2000 compatibility group from defaults. It's needed by the Filer to map IFS
users to unix users (which is an old left-over from pure NFS times and helps in multiprotocol situations).
Also make sure your ONTAP is uptodate - 7.2.4 minimum for Windows 2008 Domains:
http://now.netapp.com/NOW/knowledge/docs/olio/guides/ntsp.shtml
Cheers,
O.
Hello there,
we got the same problem.
Is it possible to solve the problem without rerunning cifs setup?
I tried to update the filer´s AD-account (cifs adupdate) und password (cifs changefilerpwd) after setting Win2008-DC as preferred DC. Filer is running Ontap 8.
Do we have to expect any further problems?
Thanks in advance!!
Greets
Julian Füller
I had the same issue at customer side.
Solution was the following NetApp-KB:
https://kb.netapp.com/support/index?page=content&id=2013862
Regads,
Anastasios Kritoglu
I had the same problem after migrating the windows 2003 DC to Windows 2008 DC. Ontap 7.2.3 is not compatible with the windows 2008 DC.
you have to upgrade ontap atleast 7.2.4 or use windows 2003 DC.
check the compatibility in netapp site.
hi,
Similar issue we have when implementing DC 2012 .It can be related Wins configuration on DC.
if you get error like:
CIFS: Warning for server \\xxxx: Could not make TCP connection.
CIFS: Error for server \\xxxx: Error while negotiating protocol with server No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS.
And from Netapp console:
cifs domaininfo
Not currently connected to any DCs
Preferred Addresses:
None
Favored Addresses:
xxxxxxx PDCBROKEN
xxxxxxx PDCBROKEN
xxxxxxx PDCBROKEN
Other Addresses:
None
Connected AD LDAP Server: \\xxxxxx