non domain computer cant access cifs share

kingspride · ‎2022-08-23

Hello,

I have a kind of very specific problem...

I'm running a Samba AD and Netapp ONTAP 9.7

After upgrading from samba 4.13 to 4.16, I run into the following problem:

Before the upgrade, non-domain joined computers could connect CIFS shares just fine by using DOMAIN\user as username and their password.

now, after the upgrade, they cant connect them anymore, the ONTAP reports:
8/23/2022 15:37:33 napV-01 ERROR secd.cifsAuth.problem: vserver (napV1) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 192.168.6.130
[ 0 ms] Login attempt by domain user 'FHI\cliff' using NTLMv2 style security
[ 0] No servers available for MS_NETLOGON, vserver: 3, domain: fhi.mpg.de.
[ 8] Hostname found in Name Service Cache
[ 8] Successfully connected to ip 192.168.6.100, port 445 using TCP
[ 18] Encountered NT error (NT_STATUS_INVALID_PARAMETER) for SMB command SessionSetup
[ 18] Unable to connect to NetLogon service on wayland.fhi.mpg.de (Error: RESULT_ERROR_SECD_NO_CONNECTIONS_AVAILABLE)
[ 18] No servers available for MS_NETLOGON, vserver: 3, domain: fhi.mpg.de.
**[ 18] FAILURE: Unable to make a connection (NetLogon:FHI.MPG.DE), result: 6940
[ 18] CIFS authentication failed
8/23/2022 15:37:13 napV-01 ERROR Nblade.CifsOperationTimedOut: Detected a timed out CIFS operation. SMB command for this operation: SMB2_COM_SESSION_SETUP, Number of times this command was suspended: 1939, Number of times this command was restarted: 0, Last CSM error during this operation: CSM_OK, Remote blade UUID: 00000000-0000-0000-0000-000000000000, Is QoS enabled: QoS_disabled, Last SpinNp error during this operation: SPINNP_NO_FO_ERROR, Client IP address: 192.168.6.130, Local IP address: 192.168.6.11, Target Vserver ID: 3, Target disk's DSID: 0

while domain-systems still can connect to their shares just fine.

does anybody has an idea how to debug further than NT_STATUS_INVALID_PARAMETER ?

from the samba side, I only get the same, NT_STATUS_INVALID_PARAMETER and
Could not find a suitable mechtype in NEG_TOKEN_INIT.

maybe theres a hint how to debug this further,

thanks in advance!

Ontapforrum · ‎2022-08-24

In order to isolate the issue : What happens if you negotiate with SMB2 on the Ontap ?

kingspride · ‎2022-08-25

Hey, thanks for your answer, but I'm afraid I dont understand what exactly you mean. maybe you can give me a hint?

should I disable SMB3 in the CIFS options?

Ontapforrum · ‎2022-08-25

Yes. Usually, SMB version "negotiation" depends on the highest version supported by both the clients and the servers. So, depending upon the 'client', you could disable SMB3 on the Ontap and try isolating the issue. Before disabling SMB3 ensure there are no applications that specifically depends on this version.

Just mentioning kbs related to samba and NetApp supportability:
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_default_negotiated_SMB_version_with_various_versions_of_Da...
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Does_ONTAP_support_Samba_domain_controllers
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Does_ONTAP_support_Samba_clients%3F
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_handle_incompatible_or_unsupported_SMB_clients_with_ONTAP
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Samba_client_cannot_access_CIFS_shares

kingspride · ‎2022-08-25

thanks, I'll try with that, and also read through the KBs.

kingspride · ‎2022-08-30

I've now disabled SMB3 and SMB3.1, but to no avail. 😞

current cifs server options are:

Vserver: napV2

Client Session Timeout: 900
Copy Offload Enabled: false
Default Unix Group: -
Default Unix User: pcuser
Guest Unix User: -
Are Administrators mapped to 'root': true
Is Advanced Sparse File Support Enabled: true
Is Fsctl File Level Trim Enabled: true
Direct-Copy Copy Offload Enabled: false
Export Policies Enabled: false
Grant Unix Group Permissions to Others: false
Is Advertise DFS Enabled: false
Is Client Duplicate Session Detection Enabled: true
Is Client Version Reporting Enabled: true
Is DAC Enabled: false
Is Fake Open Support Enabled: true
Is Hide Dot Files Enabled: false
Is Large MTU Enabled: true
Is Local Auth Enabled: true
Is Local Users and Groups Enabled: true
Is Multichannel Enabled: false
Is NetBIOS over TCP (port 139) Enabled: true
Is NBNS over UDP (port 137) Enabled: false
Is Referral Enabled: false
Is Search Short Names Support Enabled: false
Is Trusted Domain Enumeration And Search Enabled: true
Is UNIX Extensions Enabled: false
Is Use Junction as Reparse Point Enabled: true
Max Multiplex Count: 255
Max Connections per Multichannel Session: 32
Max LIFs per Multichannel Session: 256
Max Same User Session Per Connection: 2500
Max Same Tree Connect Per Session: 5000
Max Opens Same File Per Tree: 1000
Max Watches Set Per Tree: 500
Is Path Component Cache Enabled: true
NT ACLs on UNIX Security Style Volumes Enabled: true
Read Grants Exec: disabled
Read Only Delete: disabled
Reported File System Sector Size: 4096
Restrict Anonymous: no-restriction
Shadowcopy Dir Depth: 5
Shadowcopy Enabled: true
SMB1 Enabled: false
Max Buffer Size for SMB1 Message: 65535
SMB2 Enabled: true
SMB3 Enabled: false
SMB3.1 Enabled: false
Map Null User to Windows User or Group: -
WINS Servers: -
Report Widelink as Reparse Point Versions: SMB1
Max Credits to Grant: 128

non-domain systems still cant connect while domain-systems can.

the error message in the event log remain the same.

maybe someone has another idea?

thanks in advance again!