Network and Storage Protocols

Why doesn't SVM only communicate with DNS via port 636 ?

Michael_K
600 Views

Hello community,

 

we have a problem that we are noticing now for the first time. We are currently using ONTAP 9.8P11 on FAS2750.

Our network administrators would like to use port 636 for communication with the DNS.

 

A newly created CIFS-SVM - so far without productive use - connects to DNS via port 636 (-use-ldaps-for-ad-ldap  is set o true / Root CA was createtd before) when it is accessed for the first time.

All further access - although we don't even know why this is happening (there are no accesses from CIFS clients yet!) - are again taking place via port 389? Why?

 

The parameters for the SVM are set as follows:

 

FAS27DX1::> vserver cifs security show -vserver SVM_xxxxx

 

Vserver: SVM_xxxxx

 

                            Kerberos Clock Skew:                   5 minutes

                            Kerberos Ticket Age:                  10 hours

                           Kerberos Renewal Age:                   7 days

                           Kerberos KDC Timeout:                   3 seconds

                            Is Signing Required:                true

                Is Password Complexity Required:                true

           Use start_tls for AD LDAP connection:               false

                      Is AES Encryption Enabled:               false

                         LM Compatibility Level:  lm-ntlm-ntlmv2-krb

                     Is SMB Encryption Required:               false

                        Client Session Security:                none

                SMB1 Enabled for DC Connections:               false

                SMB2 Enabled for DC Connections:      system-default

  LDAP Referral Enabled For AD LDAP connections:               false

               Use LDAPS for AD LDAP connection:                true

      Encryption is required for DC Connections:               false

 

FASxxxxx::>

 

Can anyone explain this behavior?

Why is only the first access via port 636 and the others via 389?

What is to be done so that only port 636 is used?

Why is there access to the DNS at all if the SVM is not yet productive? (our networkers have determined that this behavior probably occurs every 4 hours - See also graphic "ADROOT-LOG.jpg".).

 

I am grateful for any help.

 

Best regards

 

Michael

 

 

 

3 REPLIES 3

Vijay_ramamurthy
566 Views

Hi Michael,

 

Also 636 is only for ONTAP to AD-LDAP connections and for DNS it will always connect to port 53( UDP and if needed TCP).

 

When CIFS server is created on the SVM . Domain Controller Discovery (DC Discovery) is an automatic procedure triggered by ONTAP every 4 hours.
It is explained in the KB below and is the reason why you see connections happening between ONTAP SVM and DNS every 4 hour interval.
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_Domain_Controller_Discovery

 

With "Use LDAPS for AD LDAP connection" set to TRUE , ONTAP will only use port 636 for AD-LDAP connections.

https://docs.netapp.com/us-en/ontap/nfs-admin/ldaps-concept.html#terminology


Could you please check if the 389 LDAP connections are happening via the same SVM LIF of the SVM which has LDAPS for AD LDAP connection set to TRUE or the connections are initiated using a different different SVM LIF?

Michael_K
515 Views

Hello Vijay,

 

thank you very much for your answer.

 

I have now understood the periodic access every 4 hours.

 

What irritates me is your question with which LIF the connection is established ("the same SVM LIF of the SVM which has LDAPS for AD LDAP connection set to TRUE or the connections are initiated using a different different SVM LIF"). 

 

I did set up LDAPS for the CIFS-SVM (cifs security modify -vserver SVM_xxxxx -use-ldaps-for-ad-ldap true- so for all LIFs of the SVM - didn't I?  - Or is it possible to define individual LIFs accordingly?

 

Best regards

Michael

 

 

 

 

Vijay_ramamurthy
510 Views

Hi Michael,

 

Sorry for making the query complex. 

 

Let me reframe the question

 

Since you have enabled "use-ldaps-for-ad-ldap" it is expected that for this SVM the AD-LDAP connection would happen via port 636.

And since you are seeing connections on port 389 as per the snippet shared , i just wanted to validate if the source IP address of this AD-LDAP(389 and 636 both) connection belongs to a LIF on this same SVM which has "use-ldaps-for-ad-ldap" set to true.

 

Also to answer your other question . 

When you enable "use-ldaps-for-ad-ldap" , It is applicable for all the LIF's that belong to this SVM and we cannot define individual LIF's. 

Public