ONTAP Discussions

CIFS Connection to the domain drops

Sean1971
7,287 Views

I am running Data ONtap 8.0.2 7 Mode.  I run CIFS on both filers.  Both are setup the same.  The only error I see on one filer that I don't on the second is Kerberos: Did not find principal cifs/Filer1@mydomain.com in keytab. This is a CIFS problem.

--The answer I found was rerun the CIFS setup, which runs successfully.  But the error persists.

 

So I tried:

-resetting the computer account

-deleting and creating a new computer account

-cifs resetdc

-cifs domaininfo (looks correct)

-cifs testdc (connects to the local DCs just fine)

-setting preferred DCs

-not setting preffered DCs

-compare allthe cifs options between the two filers (the match 100%)

 

So I am baffled why these 2 identical filers are behaving in a similiar manner.  I believe the key is

"Kerberos: Did not find principal cifs/Filer1@mydomain.com in keytab. This is a CIFS problem."

 

I just can't seem to find anything else to try.  Any suggestions? 

 

 

8 REPLIES 8

COMITSUPPORT
7,181 Views

Are you able to access a share through the IP address?

Sean1971
7,172 Views

Good question.  I will have to try that next time it fails.  If I could or couldn't would that point you in a specific direction?

COMITSUPPORT
7,166 Views

Are you using Kerberos-AES Encryption? Maybe you're hitting a BUG.

 

Sean1971
7,164 Views

I did see an article suggesting that possibility, I just would have expected to see it occur on both filers and not just the one.

COMITSUPPORT
7,160 Views

 

In the case you have one filer (vfiler) working and this filer is already joined in the same domain its worth to try and checkthe following options from CLI (working filer, non-working filer)

 

options cifs.signing.enabled
options cifs.ipv6.enable 
options cifs.search_domains 
options cifs.smb2.enable
options cifs.smb2.signing.required 
options cifs.smb2_1.branch_cache.enable 
options cifs.AD.retry_
options cifs.trace_dc_connection 
option cifs.trace_login 
options kerberos.file_keytab.realm 
options kerberos.file_keytab.enable 

 

Also, check the DNS servers and the preferred DC's configured on the working controller

 

 

 

 

Sean1971
7,154 Views

The options match, at least the ones this version has available.  I don't have:

 

options cifs.ipv6.enable 

options cifs.AD.retry_

 

DNS and preferred DC settings are the same.

 

I understand that a Kerberos ticket would expire after 10 hours, so I believe that is the root of my problem.  The working Filer obviously gets a new ticket, the clunky filer (which I currently hate in a way someone should not hate an inanimate object) does not get a new ticket and the CIFS drop. But why? why?

 

Sorry this has had be baffled for weeks now and everymorning I need to cifs resetdc to get it started. I do appreciate your suggestions very much.

Sean1971
7,178 Views

I failed to mention a couple of things:

 

We are using NTP on both filers and the time matches the domain time

 

The filers are both FAS32420

StanTech2
6,873 Views

I am having the exact same problem. Multi Path HA pair running DOT 8.0.2 7Mode. Same configuration on both filers. Every 10 hours I have to reset cifs to bring the connection back to the  domain controllers.

Did you find a solution?

Public