ONTAP Discussions

CIFS Port 445 not open

hampe
9,026 Views

We realized that we are not able to connect to one of the the 2 Controllers with a Windows Client on a FAS2240-2 / NetApp Release 8.2.5P3 7-Mode . Checking the connection via port 445 showed that 445 on controller one is not open, even if the CIFS configuration was performed with success.

Is there a way to check open Ports and also a way to open them if needed ?

1 ACCEPTED SOLUTION

TMACMD
8,693 Views
The whole point of Dynamic DNS is so you do not have to manually enter the DNS records. Review the sections on pages 67-70 (Dynamic DNS) here: https://library.netapp.com/ecm/ecm_download_file/ECMP1368834 Also, have you verified the SPNs? SetSPN -l cifshost SetSPN -l cifshost.fqdn nslookup cifshost nslookup cifshost.fqdn You should see the info required.

View solution in original post

14 REPLIES 14

TMACMD
9,005 Views

Try upgrading to 8.2.5p5 first

 

Be sure to read an the bugs fixed in p5

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Microsoft_Security_Advisory%3A_CVE-2020-1472_impact_on_NetApp_appliance_running_CIFS%5CNFS_utilizing_Netlogon_servers

 

hampe
8,998 Views

Unfortunately I couldn't find a way to copy the file to the NetApp, Share on C$, SFTP and http didn't work for me...

For the second Controller I am ready, but I would like to wait with the update until both are ready.

Is there another way to get the OnTap file to the place it should be for the update ?

paul_stejskal
8,970 Views

Dumb question, but is options cifs.enabled and cifs.smb2.enabled true?

 

 

hampe
8,967 Views

options cifs has this output: (can't find the two options you mentioned)
cifs.AD.retry_delay 15
cifs.LMCompatibilityLevel 1
cifs.W2K_password_change off
cifs.W2K_password_change_interval 4w
cifs.W2K_password_change_within 1h
cifs.audit.account_mgmt_events.enable off
cifs.audit.autosave.file.extension
cifs.audit.autosave.file.extension.nanosecond_precision off
cifs.audit.autosave.file.limit 0
cifs.audit.autosave.onsize.enable off
cifs.audit.autosave.onsize.threshold 75%
cifs.audit.autosave.ontime.enable off
cifs.audit.autosave.ontime.interval 1d
cifs.audit.enable off
cifs.audit.file_access_events.enable on
cifs.audit.liveview.allowed_users
cifs.audit.liveview.enable off
cifs.audit.logon_events.enable on
cifs.audit.logsize 1048576
cifs.audit.nfs.enable off
cifs.audit.nfs.filter.filename
cifs.audit.saveas /etc/log/adtlog.evt
cifs.bypass_traverse_checking on
cifs.client.dup-detection ip-address
cifs.comment Comment
cifs.enable_share_browsing on
cifs.gpo.enable off
cifs.gpo.trace.enable off
cifs.grant_implicit_exe_perms off
cifs.guest_account
cifs.home_dir.generic_share_access_level 1
cifs.home_dir.generic_share_access_warn on
cifs.home_dir_namestyle
cifs.home_dirs_public_for_admin on
cifs.idle_timeout 1800
cifs.ipv6.enable off
cifs.max_mpx 253
cifs.ms_snapshot_mode xp
cifs.netbios_aliases
cifs.netbios_over_tcp.enable on
cifs.nfs_root_ignore_acl off
cifs.oplocks.enable on
cifs.oplocks.opendelta 0
cifs.per_client_stats.enable off
cifs.perfmon.allowed_users
cifs.perm_check_ro_del_ok off
cifs.perm_check_use_gid on
cifs.preserve_unix_security off
cifs.restrict_anonymous 0
cifs.restrict_anonymous.enable off
cifs.save_case on
cifs.scopeid
cifs.search_domains
cifs.show_dotfiles on
cifs.show_snapshot off
cifs.shutdown_msg_level 2
cifs.sidcache.enable on
cifs.sidcache.lifetime 1440
cifs.signing.enable off
cifs.smb2.enable on
cifs.smb2.signing.max_threads 3
cifs.smb2.signing.multiprocessing default
cifs.smb2.signing.required off
cifs.smb2_1.branch_cache.enable off
cifs.smb2_1.branch_cache.hash_time_out 3600 (value might be overwritten in takeover)
cifs.smbx_signing_required off
cifs.snapshot_file_folding.enable off
cifs.symlinks.cycleguard on
cifs.symlinks.enable on
cifs.trace_dc_connection off
cifs.trace_login off
cifs.universal_nested_groups.enable on
cifs.widelink.ttl 10m

GidonMarcus
8,949 Views
Can also copy between the controllers with NDMPcopy, SnapMirror/snapvault or by taking the SD card out (in some models).
Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

hampe
8,920 Views

I was able to copy it with http, now it's time to make the update, hope it works out

hampe
8,857 Views

Upgrade successful, but I am still not able to connect to Controller 1, Controller 2 has a connection, but now I have this error:

[storename:krb.kt.princ.notfound.cred:warning]: Kerberos: Did not find principal HOST/storename@DOMAIN in keytab. This is a CIFS problem.

I am not able to open the C$ share with any combination of credentials.

The mentioned solution here also didn't work --> https://matthewfugel.wordpress.com/2016/02/09/fixing-a-broken-cifsnetbios-alias/

Mjizzini
8,760 Views

It can be a wrong SPN, duplicate machine account name, or the machine account has been deleted.

How to set the correct SPN for a storage controller

 

Note:

You can always  delete the old machine account manually from your AD before reconfiguring CIFS.

>cifs terminate
>cifs setup

 

hampe
8,741 Views

I am now back to where I was before the update, controller 1 does not work, access to controller 2 now works again after setting the following options:
options cifs.smb2.client.enable
options cifs.netlogon.secure_channel.enable
However, it only works via IP, and not with the hostname for controller 2.

hampe
8,722 Views

I stopped counting, but after the last cifs setup I am again able to connect with hostname. But still not able to connect to controller 1.

TMACMD
8,718 Views

I suspect if you have gone this far:

  1. Stop CIFS again
  2. CLEAN OUT DNS -> remove all records for the IPs and the Hostname. 
    1. Thoroughly! Check again
  3. Verify/Create the reverse lookup zone (if not created)
  4. Maybe try to enable Dynamic DNS
    1. options dns.update.enable on|off|secure
      1. In newer environments, I find secure needs to be enabled
  5. Redo the CIFS setup
  6. Follow the earlier link to verify and update the SPNs also.

hampe
8,695 Views

Done the following:
1. Set options dns.update.enable secure on both controllers
2. Stopped cifs
3. Removed DNS entries (AAA record and reverse)
4. Removed Computer object from AD
5. Done cifs setup again
6. Recreated both DNS entries

7. Computer object there

Still the same 😞

I tried also to connect to 445 with telnet, only possible to controller 2

TMACMD
8,694 Views
The whole point of Dynamic DNS is so you do not have to manually enter the DNS records. Review the sections on pages 67-70 (Dynamic DNS) here: https://library.netapp.com/ecm/ecm_download_file/ECMP1368834 Also, have you verified the SPNs? SetSPN -l cifshost SetSPN -l cifshost.fqdn nslookup cifshost nslookup cifshost.fqdn You should see the info required.

hampe
8,687 Views

OMG, you are my hero! Thank you so much.

Checking the DNS settings and this setting to automatically set the DNS entries was the trick I needed.

I learned now that my manual entries pointed to the wrong IP's (e0M) and the automatic creation used e0a.

(for whatever reason the one wrong IP had worked)

Thanks again to all of you for the perfect support for a newbie like me 🙄

Public