Network and Storage Protocols

not able to access cifs shares

EddieJaure
5,057 Views

I am having trouble access cifs shares. I have tried running cifs setup and it fails with "Data ONTAP API Failed :Could not authenticate with domain controller: Client not found in Kerberos database." It appears to be trying to use an old domain controller. when i run cifs domaininfo i get the following results 

cifs domaininfo
NetBios Domain: domain
Windows 2000 Domain Name: domain.net
Type: Windows 2000
Filer AD Site: sitename

Not currently connected to any DCs
Preferred Addresses:
172.20.216.30 BDC
172.20.216.31 BDC
172.20.176.92 BDC
Favored Addresses:
None
Other Addresses:
None

Not currently connected to any AD LDAP server
Preferred Addresses:
None
Favored Addresses:
172.20.216.151 BROKEN
server1.domain.net
172.20.216.150 BROKEN
server1.domain.net
172.20.216.150
server1.domain.net
172.20.216.151
server2.domain.net
Other Addresses:
None

The ip addresses listed in the preferred addresses list are no longer domain controllers. How do i force the cifs filer to not use the preferred DC on the list.

5 REPLIES 5

Ontapforrum
5,030 Views

Hi,

 

This error 'Client not found in Kerberos database' is inidcating that client's SPN is not found in kerb database.

 

Deleting a preferred DC list:

To delete a deferred DC list for a domain, use the delete option:
filer> cifs prefdc delete 'domain'

 

I suggest remove the old 'filer' (cifs server) from AD | computers (Generally when you do cifs setup, cifs server name is added to the OU), so that when you re-run the cifs setup, it will automatically re-create the correct SPNs.

 

Re-run the cifs setup (Make sure filer & AD time are not more than 5 minutes apart)

 

Thanks!

EddieJaure
5,028 Views

I have removed the computer object from AD and verified it replicated. I also deleted the domain using the command cifs prefdc delete 'domain'. I have also verified the time service is correct. both the domain controller and the netapp server are using the same time source and the times both match. When i run the cifs setup it get to the point where its prompting for credentials and when i use my admin credentials it doesnt seam to like them. I have tried multiple account that are domain admins and they dont work. the error message i receive is "Could not authenticate with domain controller: Client not found in Kerberos database.
CIFS - unable to log into domain as admin@domain.net.
Please try again (Ctrl-C to exit).

Any additional thoughts?

Ontapforrum
5,001 Views

Thanks for the update.

 

Can you check if filer can ping the DC and the vice-versa.  Is DNS working fine ? nslookup

 

Interesting - B'cos it prompts you for entering password, that means it is able to contact the AD, and when it is trying to add the object, it is refusing. Isn't it ?

EddieJaure
4,984 Views

I am able to ping the DC and vice-versa. DNS appears to be working. i can do an nslookup for the domain.com and the dc. I was able to resolve the problem by joining the server to a child domain instead of the root domain which it was originally part of (child.domain.com).  thanks for the response.

Ontapforrum
4,981 Views

Good one. Well done. Interesting, plausible reason could be - As it was originally attached to child.domain.com, this child domain may have the SPN for the old CIFS server and it was probably looking for it. It is required for CIFS (kerb) authentication.

Public