Community maintenance is complete. Thank you for your patience!

ONTAP Discussions

CIFS Port 445 not open


We realized that we are not able to connect to one of the the 2 Controllers with a Windows Client on a FAS2240-2 / NetApp Release 8.2.5P3 7-Mode . Checking the connection via port 445 showed that 445 on controller one is not open, even if the CIFS configuration was performed with success.

Is there a way to check open Ports and also a way to open them if needed ?


The whole point of Dynamic DNS is so you do not have to manually enter the DNS records. Review the sections on pages 67-70 (Dynamic DNS) here: Also, have you verified the SPNs? SetSPN -l cifshost SetSPN -l cifshost.fqdn nslookup cifshost nslookup cifshost.fqdn You should see the info required.

View solution in original post



Try upgrading to 8.2.5p5 first


Be sure to read an the bugs fixed in p5



Unfortunately I couldn't find a way to copy the file to the NetApp, Share on C$, SFTP and http didn't work for me...

For the second Controller I am ready, but I would like to wait with the update until both are ready.

Is there another way to get the OnTap file to the place it should be for the update ?

Can also copy between the controllers with NDMPcopy, SnapMirror/snapvault or by taking the SD card out (in some models).
Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK


I was able to copy it with http, now it's time to make the update, hope it works out


Upgrade successful, but I am still not able to connect to Controller 1, Controller 2 has a connection, but now I have this error:

[storename:krb.kt.princ.notfound.cred:warning]: Kerberos: Did not find principal HOST/storename@DOMAIN in keytab. This is a CIFS problem.

I am not able to open the C$ share with any combination of credentials.

The mentioned solution here also didn't work -->


It can be a wrong SPN, duplicate machine account name, or the machine account has been deleted.

How to set the correct SPN for a storage controller



You can always  delete the old machine account manually from your AD before reconfiguring CIFS.

>cifs terminate
>cifs setup



I am now back to where I was before the update, controller 1 does not work, access to controller 2 now works again after setting the following options:
options cifs.smb2.client.enable
options cifs.netlogon.secure_channel.enable
However, it only works via IP, and not with the hostname for controller 2.


I stopped counting, but after the last cifs setup I am again able to connect with hostname. But still not able to connect to controller 1.


I suspect if you have gone this far:

  1. Stop CIFS again
  2. CLEAN OUT DNS -> remove all records for the IPs and the Hostname. 
    1. Thoroughly! Check again
  3. Verify/Create the reverse lookup zone (if not created)
  4. Maybe try to enable Dynamic DNS
    1. options dns.update.enable on|off|secure
      1. In newer environments, I find secure needs to be enabled
  5. Redo the CIFS setup
  6. Follow the earlier link to verify and update the SPNs also.


Done the following:
1. Set options dns.update.enable secure on both controllers
2. Stopped cifs
3. Removed DNS entries (AAA record and reverse)
4. Removed Computer object from AD
5. Done cifs setup again
6. Recreated both DNS entries

7. Computer object there

Still the same 😞

I tried also to connect to 445 with telnet, only possible to controller 2

The whole point of Dynamic DNS is so you do not have to manually enter the DNS records. Review the sections on pages 67-70 (Dynamic DNS) here: Also, have you verified the SPNs? SetSPN -l cifshost SetSPN -l cifshost.fqdn nslookup cifshost nslookup cifshost.fqdn You should see the info required.

View solution in original post


OMG, you are my hero! Thank you so much.

Checking the DNS settings and this setting to automatically set the DNS entries was the trick I needed.

I learned now that my manual entries pointed to the wrong IP's (e0M) and the automatic creation used e0a.

(for whatever reason the one wrong IP had worked)

Thanks again to all of you for the perfect support for a newbie like me 🙄


Dumb question, but is options cifs.enabled and cifs.smb2.enabled true?




options cifs has this output: (can't find the two options you mentioned)
cifs.AD.retry_delay 15
cifs.LMCompatibilityLevel 1
cifs.W2K_password_change off
cifs.W2K_password_change_interval 4w
cifs.W2K_password_change_within 1h
cifs.audit.account_mgmt_events.enable off
cifs.audit.autosave.file.extension.nanosecond_precision off
cifs.audit.autosave.file.limit 0
cifs.audit.autosave.onsize.enable off
cifs.audit.autosave.onsize.threshold 75%
cifs.audit.autosave.ontime.enable off
cifs.audit.autosave.ontime.interval 1d
cifs.audit.enable off
cifs.audit.file_access_events.enable on
cifs.audit.liveview.enable off
cifs.audit.logon_events.enable on
cifs.audit.logsize 1048576
cifs.audit.nfs.enable off
cifs.audit.saveas /etc/log/adtlog.evt
cifs.bypass_traverse_checking on
cifs.client.dup-detection ip-address
cifs.comment Comment
cifs.enable_share_browsing on
cifs.gpo.enable off
cifs.gpo.trace.enable off
cifs.grant_implicit_exe_perms off
cifs.home_dir.generic_share_access_level 1
cifs.home_dir.generic_share_access_warn on
cifs.home_dirs_public_for_admin on
cifs.idle_timeout 1800
cifs.ipv6.enable off
cifs.max_mpx 253
cifs.ms_snapshot_mode xp
cifs.netbios_over_tcp.enable on
cifs.nfs_root_ignore_acl off
cifs.oplocks.enable on
cifs.oplocks.opendelta 0
cifs.per_client_stats.enable off
cifs.perm_check_ro_del_ok off
cifs.perm_check_use_gid on
cifs.preserve_unix_security off
cifs.restrict_anonymous 0
cifs.restrict_anonymous.enable off
cifs.save_case on
cifs.show_dotfiles on
cifs.show_snapshot off
cifs.shutdown_msg_level 2
cifs.sidcache.enable on
cifs.sidcache.lifetime 1440
cifs.signing.enable off
cifs.smb2.enable on
cifs.smb2.signing.max_threads 3
cifs.smb2.signing.multiprocessing default
cifs.smb2.signing.required off
cifs.smb2_1.branch_cache.enable off
cifs.smb2_1.branch_cache.hash_time_out 3600 (value might be overwritten in takeover)
cifs.smbx_signing_required off
cifs.snapshot_file_folding.enable off
cifs.symlinks.cycleguard on
cifs.symlinks.enable on
cifs.trace_dc_connection off
cifs.trace_login off
cifs.universal_nested_groups.enable on
cifs.widelink.ttl 10m

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner