Network and Storage Protocols

Unable to create NETLOGON pipe No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS

ritchi641
29,571 Views

We have a few filers who give us the following error periodicaly since we upgrade our Active Directory machine to a Windows 2008R2 (SP1) server.

Wed Jul 11 15:31:29 EDT [LABFILER01: cifs.server.infoMsg:info]: CIFS: Warning for server \\SE601C: Unable to create NETLOGON pipe No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS.

We found out that this error message occur if SMB2 is enable on the filler (options cifs.smb2.enable    on, cifs.smb2.client.enable      on). We add to enable this 1 year ago becose of new Windows 7 clients.

The error message disappear if we disable SMB2 in our Windows 2008R2 server or in the filer.

Ontap 7.3.4 or  8.0.2P3 7-Mode

Any Idee to resolve this without disabling SMB2 ?

1 ACCEPTED SOLUTION

aborzenkov
29,474 Views

Title:

Domain Controller responds with 0xc0000022 (Access Denied) error to SMB2 tree connect request from the storage server on IPC$.

Description:

This issue might occur under the following circumstances:

1. The storage server sends an SMB2 session setup request with signing required, regardless of the setting of the option smb2.signing.required.

2. The domain controller returns a signed session setup response.

3. The storage server sends an unsigned tree connect request to IPC$.

4. The domain controller refuses the unsigned request and responds with a 0xc0000022 error (Access Denied).

Workaround:

Disable SMB2 on the storage server by entering the following command:

options cifs.smb2.client.enable off

View solution in original post

8 REPLIES 8

aborzenkov
29,466 Views

Sounds similar to http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=474548

For client - NetApp communication option cifs.smb2.enable is relevant. IIRC option cifs.smb2.client.enable is for NetApp - domain controller communication. So you still should be able to enable SMB2 for clients.

ritchi641
29,466 Views

Hi, thanks for you fast reply,

If disabling ( cifs.smb2.client.enable ) is only affecting communication for the filer to the DC and don't affect the client (Windows 7) in any way. I will give it a try.

I am a Nseries user. Can you put a cut an paste here of that Now link information ?

http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=474548

aborzenkov
29,475 Views

Title:

Domain Controller responds with 0xc0000022 (Access Denied) error to SMB2 tree connect request from the storage server on IPC$.

Description:

This issue might occur under the following circumstances:

1. The storage server sends an SMB2 session setup request with signing required, regardless of the setting of the option smb2.signing.required.

2. The domain controller returns a signed session setup response.

3. The storage server sends an unsigned tree connect request to IPC$.

4. The domain controller refuses the unsigned request and responds with a 0xc0000022 error (Access Denied).

Workaround:

Disable SMB2 on the storage server by entering the following command:

options cifs.smb2.client.enable off

ritchi641
29,466 Views

Thank you very much!

It help a lot!!!

I think my problem is solve.

I will let it run and see after a week if everyting is ok!

ritchi641
29,466 Views

hi again,

I also get this error in my filers syslog since we upgrade our DC to W2K8R2:

Sun Jul  8 17:43:38 EDT cifs.pipe.errorMsg: CIFS: Error on named pipe with SE601S: Error connecting to server, open pipe failed

Sun Jul  8 17:43:38 EDT smbrpc.pipeCreate.fail: CIFSRPC: Attempt to create pipe LSA for LsarLookupSids failed with error 0xc000005e.

Do you think it's related to the same SMB2 problem?

STORAGE_CIT
29,466 Views

It seems you´re facing the OnTap Weakness which is (amongst others) described in BURT 470972

The point is, that OnTap is using a security leak in the smb2-Implementation of Microsoft, which was fixed by some Patches for SMB2 Win2003/2008:

A Kerberos Ticket has a default lifetime of 10 hours. When this Ticket expires, the CIFS Sessions based upon this Ticket must become invalid and the Kerberos-Client (aka Netapp Filer) must request a new ticket and a also a new CIFS Session.

But until now, OnTap is still not able to handle this prodecure correctly, meaning to say pro-actively.

Before Microsoft fixed it, a SMB2-Session wrongly remained active when the Kerberos-Ticket expired.

SMB1 still has this bug, therefore the described workaround (options cifs.smb2.client.enable off => Fallback to SMB1) solves the issue (until Microsoft patches this as well...)

The underlying OnTap Weakness will be corrected in OnTap 8.0.4 and 8.1.2 (just in time for the relase of SMB3 ...;-)

jjardina_dtech
29,466 Views

1) Is your local to the filer, DC an RODC?  If so, you have to use the "option ldap.servers.preferred" to specify a non-RODC or change the local AD to be a GC. 

2) If possible, update your OnTap to the latest general release for your filer.  The two versions you cite are quite old.

See if issue still persists and if so, you may have to options cifs.smb2.client.enable off until fixed.

thomas_glodde
29,466 Views

Did you guys try an "options cifs.netbios_over_tcp.enable off"?

Public