Network and Storage Protocols

cifs resetdc STATUS_ACCESS_DENIED

fuquajed1
4,969 Views

Hello All,

I'm am setting a CIFS within a vfiler on ma netapp host. The host has no cifs enabled nor is it configured (as it will only be doing nfs on the netapp host).

The CIFS on the vfiler I have joined to the domain as seen in the below command:

ebsnas@vsimst01> cifs domaininfo

NetBios Domain:           TEST

Windows 2003 Domain Name: <test.mydomain.org>

Type:                     Windows 2003

Filer AD Site:            Default-First-Site-Name

Not currently connected to any DCs

Preferred Addresses:

                          None

Favored Addresses:

                          172.31.17.86    VSIMAD01         PDCBROKEN

Other Addresses:

                          None

Connected AD LDAP Server: \\vsimad01.<mydomain.org>

Preferred Addresses:

                          None

Favored Addresses:

                          172.31.17.86

                           vsimad01.<test.mydomain.org>

Other Addresses:

                          None

The output from cifs resetdc is:

Fri Jan 11 01:22:04 GMT [vsimst01:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for TEST

Fri Jan 11 01:22:04 GMT [vsimst01:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using DNS site query (Default-First-Site-Name)..

Fri Jan 11 01:22:04 GMT [vsimst01:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using generic DNS query.

Fri Jan 11 01:22:04 GMT [vsimst01:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for TEST complete. 1 unique addresses found.

Fri Jan 11 01:22:04 GMT [vsimst01:cifs.server.errorMsg:error]: CIFS: Error for server \\VSIMAD01: Error in session setup response STATUS_ACCESS_DENIED.

Fri Jan 11 01:22:04 GMT [vsimst01:cifs.server.infoMsg:info]: CIFS: Warning for server \\VSIMAD01: Connection terminated.

Fri Jan 11 01:22:04 GMT [vsimst01:cifs.server.errorMsg:error]: CIFS: Error for server \\VSIMAD01: CIFS Session Setup Error STATUS_ACCESS_DENIED.

Fri Jan 11 01:22:04 GMT [vsimst01:auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for <TEST.MYDOMAIN.ORG>.

Fri Jan 11 01:22:04 GMT [vsimst01:auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 1 AD LDAP server addresses using DNS site query (Default-First-Site-Name).

Fri Jan 11 01:22:04 GMT [vsimst01:auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found 1 AD LDAP server addresses using generic DNS query.

Fri Jan 11 01:22:04 GMT [vsimst01:auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD LDAP server address discovery for <TEST.MYDOMAIN.ORG> complete. 1 unique addresses found.

The times sync are less than 1 seconds apart from one another between the AD and the vfiler/host netapp. Do I need to have the hosting netapp filer (vfiler0) to actually run CIFS service and have it configured before the vfiler EBSNAS will work serving up CIFS?

Thanks!

2 REPLIES 2

fuquajed1
4,969 Views

So I found this was my problem:

https://kb.netapp.com/support/index?page=content&id=2010717&actp=LIST_RECENT&viewlocale=en_US&searchid=1358443092676

the AD had the above GPO/registery restriction - if you need to find it in the registery it's found at:

Name: Server SPN Target Name Validation Level

Location: HKLM\System CurrentControlSet\Services\LanmanServer\Parameters\SmbServerNameHardeningLevel 1 REG_DWORD

When i changed this value from a 1 to a 0 the and refreshed the AD, I got rid of the "PDCBROKEN" error and the STATUS_ACCESS_DENIED went away too.

martin_fisher
4,969 Views

Each vFiler on a NetApp host can run CIFS independantly. vFiler0 doesnt need to be serving CIFS, for your vFiler to provide CIFS.

Sounds like you sorted the problem. There is also a CIFS testdc cli command to check the CIFS info, without resetting it.

Martin

Public