ONTAP Discussions
ONTAP Discussions
I am running Data ONtap 8.0.2 7 Mode. I run CIFS on both filers. Both are setup the same. The only error I see on one filer that I don't on the second is Kerberos: Did not find principal cifs/Filer1@mydomain.com in keytab. This is a CIFS problem.
--The answer I found was rerun the CIFS setup, which runs successfully. But the error persists.
So I tried:
-resetting the computer account
-deleting and creating a new computer account
-cifs resetdc
-cifs domaininfo (looks correct)
-cifs testdc (connects to the local DCs just fine)
-setting preferred DCs
-not setting preffered DCs
-compare allthe cifs options between the two filers (the match 100%)
So I am baffled why these 2 identical filers are behaving in a similiar manner. I believe the key is
"Kerberos: Did not find principal cifs/Filer1@mydomain.com in keytab. This is a CIFS problem."
I just can't seem to find anything else to try. Any suggestions?
Are you able to access a share through the IP address?
Good question. I will have to try that next time it fails. If I could or couldn't would that point you in a specific direction?
Are you using Kerberos-AES Encryption? Maybe you're hitting a BUG.
I did see an article suggesting that possibility, I just would have expected to see it occur on both filers and not just the one.
In the case you have one filer (vfiler) working and this filer is already joined in the same domain its worth to try and checkthe following options from CLI (working filer, non-working filer)
options cifs.signing.enabled
options cifs.ipv6.enable
options cifs.search_domains
options cifs.smb2.enable
options cifs.smb2.signing.required
options cifs.smb2_1.branch_cache.enable
options cifs.AD.retry_
options cifs.trace_dc_connection
option cifs.trace_login
options kerberos.file_keytab.realm
options kerberos.file_keytab.enable
Also, check the DNS servers and the preferred DC's configured on the working controller
The options match, at least the ones this version has available. I don't have:
options cifs.ipv6.enable
options cifs.AD.retry_
DNS and preferred DC settings are the same.
I understand that a Kerberos ticket would expire after 10 hours, so I believe that is the root of my problem. The working Filer obviously gets a new ticket, the clunky filer (which I currently hate in a way someone should not hate an inanimate object) does not get a new ticket and the CIFS drop. But why? why?
Sorry this has had be baffled for weeks now and everymorning I need to cifs resetdc to get it started. I do appreciate your suggestions very much.
I failed to mention a couple of things:
We are using NTP on both filers and the time matches the domain time
The filers are both FAS32420
I am having the exact same problem. Multi Path HA pair running DOT 8.0.2 7Mode. Same configuration on both filers. Every 10 hours I have to reset cifs to bring the connection back to the domain controllers.
Did you find a solution?