Network and Storage Protocols

non domain computer cant access cifs share



I have a kind of very specific problem...


I'm running a Samba AD and Netapp ONTAP 9.7


After upgrading from samba 4.13 to 4.16, I run into the following problem:


Before the upgrade, non-domain joined computers could connect CIFS shares just fine by using DOMAIN\user as username and their password.


now, after the upgrade, they cant connect them anymore, the ONTAP reports:
8/23/2022 15:37:33 napV-01 ERROR secd.cifsAuth.problem: vserver (napV1) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip =
[ 0 ms] Login attempt by domain user 'FHI\cliff' using NTLMv2 style security
[ 0] No servers available for MS_NETLOGON, vserver: 3, domain:
[ 8] Hostname found in Name Service Cache
[ 8] Successfully connected to ip, port 445 using TCP
[ 18] Encountered NT error (NT_STATUS_INVALID_PARAMETER) for SMB command SessionSetup
[ 18] Unable to connect to NetLogon service on (Error: RESULT_ERROR_SECD_NO_CONNECTIONS_AVAILABLE)
[ 18] No servers available for MS_NETLOGON, vserver: 3, domain:
**[ 18] FAILURE: Unable to make a connection (NetLogon:FHI.MPG.DE), result: 6940
[ 18] CIFS authentication failed
8/23/2022 15:37:13 napV-01 ERROR Nblade.CifsOperationTimedOut: Detected a timed out CIFS operation. SMB command for this operation: SMB2_COM_SESSION_SETUP, Number of times this command was suspended: 1939, Number of times this command was restarted: 0, Last CSM error during this operation: CSM_OK, Remote blade UUID: 00000000-0000-0000-0000-000000000000, Is QoS enabled: QoS_disabled, Last SpinNp error during this operation: SPINNP_NO_FO_ERROR, Client IP address:, Local IP address:, Target Vserver ID: 3, Target disk's DSID: 0


while domain-systems still can connect to their shares just fine.

does anybody has an idea how to debug further than NT_STATUS_INVALID_PARAMETER ?


from the samba side, I only get the same, NT_STATUS_INVALID_PARAMETER and
Could not find a suitable mechtype in NEG_TOKEN_INIT.


maybe theres a hint how to debug this further,

thanks in advance!



In order to isolate the issue : What happens if you negotiate with SMB2 on the Ontap ?


Hey, thanks for your answer, but I'm afraid I dont understand what exactly you mean. maybe you can give me a hint?

should I disable SMB3 in the CIFS options?


thanks, I'll try with that, and also read through the KBs.


I've now disabled SMB3 and SMB3.1, but to no avail. 😞

current cifs server options are:

Vserver: napV2

Client Session Timeout: 900
Copy Offload Enabled: false
Default Unix Group: -
Default Unix User: pcuser
Guest Unix User: -
Are Administrators mapped to 'root': true
Is Advanced Sparse File Support Enabled: true
Is Fsctl File Level Trim Enabled: true
Direct-Copy Copy Offload Enabled: false
Export Policies Enabled: false
Grant Unix Group Permissions to Others: false
Is Advertise DFS Enabled: false
Is Client Duplicate Session Detection Enabled: true
Is Client Version Reporting Enabled: true
Is DAC Enabled: false
Is Fake Open Support Enabled: true
Is Hide Dot Files Enabled: false
Is Large MTU Enabled: true
Is Local Auth Enabled: true
Is Local Users and Groups Enabled: true
Is Multichannel Enabled: false
Is NetBIOS over TCP (port 139) Enabled: true
Is NBNS over UDP (port 137) Enabled: false
Is Referral Enabled: false
Is Search Short Names Support Enabled: false
Is Trusted Domain Enumeration And Search Enabled: true
Is UNIX Extensions Enabled: false
Is Use Junction as Reparse Point Enabled: true
Max Multiplex Count: 255
Max Connections per Multichannel Session: 32
Max LIFs per Multichannel Session: 256
Max Same User Session Per Connection: 2500
Max Same Tree Connect Per Session: 5000
Max Opens Same File Per Tree: 1000
Max Watches Set Per Tree: 500
Is Path Component Cache Enabled: true
NT ACLs on UNIX Security Style Volumes Enabled: true
Read Grants Exec: disabled
Read Only Delete: disabled
Reported File System Sector Size: 4096
Restrict Anonymous: no-restriction
Shadowcopy Dir Depth: 5
Shadowcopy Enabled: true
SMB1 Enabled: false
Max Buffer Size for SMB1 Message: 65535
SMB2 Enabled: true
SMB3 Enabled: false
SMB3.1 Enabled: false
Map Null User to Windows User or Group: -
WINS Servers: -
Report Widelink as Reparse Point Versions: SMB1
Max Credits to Grant: 128


non-domain systems still cant connect while domain-systems can.


the error message in the event log remain the same.

maybe someone has another idea?


thanks in advance again!