Network and Storage Protocols

ntap 8.11 cluster mode

carldubois
10,045 Views

Hi All,

And Thanks in advance for the assistance.

Trying to probe a cifs share on a cmode simulator. As I understand it a cifs share with acl Everyone FULL should suffice.

Win XP seems to net use fine with ntlm or v2 auth to the DC in the secd.log.

Trying to do the same when probe from my application (F5 ARX), filer keeps returning STATUS_UNSUCCESSFUL.

From the looks of secd.log looks like it fails when attempting to call doAuthWithDC as pkt capture shows that a connection was not made to the DC.

Anyone have an idea as to why or what this Unexpected State is below?

0000000c.0016e890 0029dd4c Fri Sep 14 2012 17:56:14 +00:00 [kern_secd:info:2878] | [000.000.936]  ERR  :              User Authentication procedure failed!

0000000c.0016e891 0029dd4c Fri Sep 14 2012 17:56:14 +00:00 [kern_secd:info:2878] | [000.000.943]  ERR  :                [  0 ms] Login attempt by domain user 'ARX\arxproxy' using NTLMv2 style security

0000000c.0016e892 0029dd4c Fri Sep 14 2012 17:56:14 +00:00 [kern_secd:info:2878] | [000.000.949]  ERR  :              **[     0] FAILURE: Unexpected state: Error 6978 at file:authentication/secd_seclibglue.cpp func:doAuthenticateWithDC line:733

20 REPLIES 20

scottgelb
9,910 Views

I remember seeing something about ARX not support SMB 2 yet (but that may have been added since then) but that may be related. 

The -smb2-enabled option is enabled by default... does it work if you turn off smb2?

vserver cifs options modify -vserver vsname -smb2-enabled false

carldubois
9,910 Views

Hi Scott,

You are correct ARX does no support SMB2 as of yet.

The pkt trace indicates that XP is using SMB1 and ARX is using SMB1 as well. I tryed to turn SMB2 off as you suggested. The end result was the same. Net use via XP is fine. ARX can't probe. Crazy.

Any other thoughts?

beenz# probe authentication ntlmv2 external-filer SH_1_Filer proxy-user CertProxy_1                                               

  IP address  : 10.90.67.142

  SPN         : VSERVER-CIFS_1@ARX.COM

  User        : ARX\arxproxy

  Protocol    : NTLMv2

  Status      : STATUS_UNSUCCESSFUL

carldubois
9,909 Views

One other note to add.

I know I saw this working with the 8.1 simulator so I am going to revist this.

Anyone have release notes between 8.1 and 8.1.1 cmode?

Thank You

scottgelb
9,909 Views

The 8.1.1 relnotes show support for SMB 2.1 which seems to be the major cifs change...but the client is using SMB1..unless a change or interaction issue with ARX.. Is there an F5 case open? 

carldubois
9,910 Views

Yes, I have an internal PD bug open. This is an interop issue between the filer and ARX. Working with Engineer's in India with little response. No fault of there own considering the time difference and the fact that XP, 7 clients do work.

I can probe the DC from the filer.

ONTAP-CLUS-81::*> diag secd authentication login-cifs -node ONTAP-CLUS-81-01 -vserver vserver1 -user interopproxy

Enter the password:
Windows User: interopproxy Domain: ENGSMOKE Privs: a7
Primary Grp: S-1-5-21-448539723-1844237615-725345543-513
      Domain: S-1-5-21-448539723-1844237615-725345543 Rids: 30841, 512, 513, 519, 1221
      Domain: S-1-1 Rids: 0
      Domain: S-1-5 Rids: 11, 2
     Unix ID: 0, GID: 1
       Flags: 1
   Domain ID: 0
  Other GIDs:
Authentication Succeeded.

carldubois
9,909 Views

Same thing with 8.1 cmode sim. Something small I am overlooking here.

Is it OK to use root as the default cifs unix user?

scottgelb
9,909 Views

Most use pcuser but we have had root set in some installs...as long as there is a mapping that is what is needed.  You can modify the default to pcuser and make sure the unixuser exists for pcuser but doesn't sound like the cause.

carldubois
9,909 Views

Thanks Scott, I'll try. I assumed that would not work becuase of UID / GID being 65534  65534. I think root squash. Could be way off here.

Does cifs options default user = pcuser sufficent enough for mapping win user to unix user?

carldubois
9,909 Views

Same behavior using pcuser for default unix user.

Missing something small here.

scottgelb
9,274 Views

ONTAP just requires a mapping for default unix_user for cifs.. odd but just used to it for years now.  Or unless you had explicit mappings for each user...but when native cifs it isn't using the 65534 uid for access.

carldubois
9,274 Views

No explicit name mappings, just cifs default unix user. Acl is FULL / Everyone. Hmm, I am missing something. What if I extend to ACL to give FULL access to Domain Users and Domain Admins.

scottgelb
9,274 Views

Worth a try... odd that XP works and not the ARX.... Can you try using the same username on XP and ARX with the same result ?

carldubois
9,274 Views

Is there a Local Administrators Group on the Filer? Created a folder and owner is CIFS_SERVER\Administrators. If so how do I add a user to it?

scottgelb
9,274 Views

In 7-mode we can create local groups/users but not in cluster-mode....so has to be on the domain.

carldubois
9,274 Views

OK, Thanks. Tryed to extend add an ACE for the ACL via windows and on the filer. No Luck.

Crazy.

carldubois
8,477 Views

Got kerberos working

  IP address  : 10.63.133.80

  SPN         : cifs-server_1@engsmoke.acopianet.com

  User        : interopproxy@ENGSMOKE.ACOPIANET.COM

  Protocol    : Kerberos

  Status      : STATUS_SUCCESS

Not sure why ntlm or v2 is not working.

artik
7,695 Views

hi carl, how did you pull it off? struggling with the same problem to test an ARX decomm POC..

thx in advance 

Bug2
7,647 Views

Hi Artik,

 

Got any lucjK? I've got the same problem.

artik
7,634 Views

we found an authentication error with a packet trace.

the filer is reporting "KRB5KRB_AP_ERR_MODIFIED" and "STATUS_MORE_PROCESSING_REQUIRED" in the same packet.

Unresolved.

 

 

GabeC
7,204 Views

Hi how did you get Kerberos working? i have been crazy over this..

Public