Netapp Active Directory Authentication

dnlnetapps · ‎2010-10-22

First things first: I don't know much about netapps. I am a security person, I don't deal with filers much.

My problem:

I noticed a weird behavior with Netapp Active Directory authentication. Our netapps accept active directory account logins via ssh connections. So I use my Windows 2003 active directory account to login via ssh to netapps for certain things. I changed my active directory password today. 10 minutes later I ssh'ed into a netapp filer using my new password. Everything worked fine. Nothing odd here. The odd thing is when 5 minutes later I was able to logon with my old password. I thought I was going mad, so I tried it on 5 other netapps we have here, and I was able to logon with both my old and new password. What on Earth would make this happen? Can someone enlighten me on how this is even possible?

Now, putting my information security hat on, I say: This is a gross security hole, either by configuration or by design. If I have reason to believe that my AD account has been compromised and I think I'm safe when I change my password, guess what?? I'm not. I'll wait to hear from those who know more than I do about netapps.

NetApp Release 7.3.1.1

Windows Active Directory 2003 Native domain

spence · ‎2010-10-22

ssh into the filer and run useradmin user list. Do you have an account with the same name as your active directory account? If yes, then that is your problem. You have a filer side account that had the same password as your previous active directory account. No security hole here, just bad administration practice.

If you don’t have an account on the filer from the previous step then while still ssh’d in execute the following:

cifs domaininfo - look at the output and see what domain controllers is knows about and which ones are favored.

cifs prefdc print - look at the output and see which DCs is configured to use

Now make sure that your active directory domain controllers that are listed in the above steps have replicated recently with the PDC Emulator using sites and services. Then try your old password again. So again, not a security hole, just poor AD replication performance.

dnlnetapps · ‎2010-10-22

I'm not gonna argue with you on the bad admin practices :-). You're right about that.

Anyway ... There are no accounts with my name on the netapp. The old password doesn't work any longer, so it could be an AD replication issue, however I was logging on from the same subnet as the Netapp, the first time with one password and the second time with the old password. This shouldn't be about replication, unless the Netapp is doing some kind of round robin among the domain controllers for authentication.

I see the following:

mynetapp> cifs domaininfo

NetBios Domain:           mydomain
Windows 2003 Domain Name: my.domain.name
Type:                     Windows 2003
Filer AD Site:           my site

Current Connected DCs:    \\myadserver
Total DC addresses found: 30
Preferred Addresses:
                          None
Favored Addresses:
                          10.0.10.4       myotheradserver        PDC
                          10.0.10.107                       PDC
                          10.0.10.222                        PDC
                          10.0.10.212                        PDC
                          10.0.10.232                        PDC
                          10.0.10.137                        PDC
Other Addresses:
                          10.0.11.143                      PDC
                          10.0.11.137                      PDC

mynetapp> cifs prefdc print mydomain
No preferred Domain Controllers configured.

No preferred Domain Controllers configured.