ONTAP Discussions
ONTAP Discussions
We realized that we are not able to connect to one of the the 2 Controllers with a Windows Client on a FAS2240-2 / NetApp Release 8.2.5P3 7-Mode . Checking the connection via port 445 showed that 445 on controller one is not open, even if the CIFS configuration was performed with success.
Is there a way to check open Ports and also a way to open them if needed ?
Solved! See The Solution
Try upgrading to 8.2.5p5 first
Be sure to read an the bugs fixed in p5
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Microsoft_Security_Advisory%3A_CVE-2020-1472_impact_on_NetApp_appliance_running_CIFS%5CNFS_utilizing_Netlogon_servers
Unfortunately I couldn't find a way to copy the file to the NetApp, Share on C$, SFTP and http didn't work for me...
For the second Controller I am ready, but I would like to wait with the update until both are ready.
Is there another way to get the OnTap file to the place it should be for the update ?
Dumb question, but is options cifs.enabled and cifs.smb2.enabled true?
options cifs has this output: (can't find the two options you mentioned)
cifs.AD.retry_delay 15
cifs.LMCompatibilityLevel 1
cifs.W2K_password_change off
cifs.W2K_password_change_interval 4w
cifs.W2K_password_change_within 1h
cifs.audit.account_mgmt_events.enable off
cifs.audit.autosave.file.extension
cifs.audit.autosave.file.extension.nanosecond_precision off
cifs.audit.autosave.file.limit 0
cifs.audit.autosave.onsize.enable off
cifs.audit.autosave.onsize.threshold 75%
cifs.audit.autosave.ontime.enable off
cifs.audit.autosave.ontime.interval 1d
cifs.audit.enable off
cifs.audit.file_access_events.enable on
cifs.audit.liveview.allowed_users
cifs.audit.liveview.enable off
cifs.audit.logon_events.enable on
cifs.audit.logsize 1048576
cifs.audit.nfs.enable off
cifs.audit.nfs.filter.filename
cifs.audit.saveas /etc/log/adtlog.evt
cifs.bypass_traverse_checking on
cifs.client.dup-detection ip-address
cifs.comment Comment
cifs.enable_share_browsing on
cifs.gpo.enable off
cifs.gpo.trace.enable off
cifs.grant_implicit_exe_perms off
cifs.guest_account
cifs.home_dir.generic_share_access_level 1
cifs.home_dir.generic_share_access_warn on
cifs.home_dir_namestyle
cifs.home_dirs_public_for_admin on
cifs.idle_timeout 1800
cifs.ipv6.enable off
cifs.max_mpx 253
cifs.ms_snapshot_mode xp
cifs.netbios_aliases
cifs.netbios_over_tcp.enable on
cifs.nfs_root_ignore_acl off
cifs.oplocks.enable on
cifs.oplocks.opendelta 0
cifs.per_client_stats.enable off
cifs.perfmon.allowed_users
cifs.perm_check_ro_del_ok off
cifs.perm_check_use_gid on
cifs.preserve_unix_security off
cifs.restrict_anonymous 0
cifs.restrict_anonymous.enable off
cifs.save_case on
cifs.scopeid
cifs.search_domains
cifs.show_dotfiles on
cifs.show_snapshot off
cifs.shutdown_msg_level 2
cifs.sidcache.enable on
cifs.sidcache.lifetime 1440
cifs.signing.enable off
cifs.smb2.enable on
cifs.smb2.signing.max_threads 3
cifs.smb2.signing.multiprocessing default
cifs.smb2.signing.required off
cifs.smb2_1.branch_cache.enable off
cifs.smb2_1.branch_cache.hash_time_out 3600 (value might be overwritten in takeover)
cifs.smbx_signing_required off
cifs.snapshot_file_folding.enable off
cifs.symlinks.cycleguard on
cifs.symlinks.enable on
cifs.trace_dc_connection off
cifs.trace_login off
cifs.universal_nested_groups.enable on
cifs.widelink.ttl 10m
I was able to copy it with http, now it's time to make the update, hope it works out
Upgrade successful, but I am still not able to connect to Controller 1, Controller 2 has a connection, but now I have this error:
[storename:krb.kt.princ.notfound.cred:warning]: Kerberos: Did not find principal HOST/storename@DOMAIN in keytab. This is a CIFS problem.
I am not able to open the C$ share with any combination of credentials.
The mentioned solution here also didn't work --> https://matthewfugel.wordpress.com/2016/02/09/fixing-a-broken-cifsnetbios-alias/
It can be a wrong SPN, duplicate machine account name, or the machine account has been deleted.
How to set the correct SPN for a storage controller
Note:
You can always delete the old machine account manually from your AD before reconfiguring CIFS.
>cifs terminate
>cifs setup
I am now back to where I was before the update, controller 1 does not work, access to controller 2 now works again after setting the following options:
options cifs.smb2.client.enable
options cifs.netlogon.secure_channel.enable
However, it only works via IP, and not with the hostname for controller 2.
I stopped counting, but after the last cifs setup I am again able to connect with hostname. But still not able to connect to controller 1.
I suspect if you have gone this far:
Done the following:
1. Set options dns.update.enable secure on both controllers
2. Stopped cifs
3. Removed DNS entries (AAA record and reverse)
4. Removed Computer object from AD
5. Done cifs setup again
6. Recreated both DNS entries
7. Computer object there
Still the same 😞
I tried also to connect to 445 with telnet, only possible to controller 2
OMG, you are my hero! Thank you so much.
Checking the DNS settings and this setting to automatically set the DNS entries was the trick I needed.
I learned now that my manual entries pointed to the wrong IP's (e0M) and the automatic creation used e0a.
(for whatever reason the one wrong IP had worked)
Thanks again to all of you for the perfect support for a newbie like me 🙄