ONTAP Discussions

Having some trouble with Ontap 9 SMB configuration

Sycraft
5,755 Views

We have a FAS that is showing up on the support site as having an SMB signing issue. It says "Clustered Data ONTAP has been determined to have a version or configuration exposed to a vulnerability when SMB signing is disabled. NTAP-20160412-0001."

 

The suggested remediation is simple: Turn on signing, and they give you the command:

 

"vserver cifs security modify -vserverme -is-signing-required true".

 

No problem, our Vserver that does CIFS has had it enabled since we created it. However the one it is mad about is another Vserver that doesn't do CIFS, just NFS. It is joined to our active directory, but CIFS is not enabled on it. I tried to enable signing anyhow because it isn't like it would hurt but then it says:

 

"Error: command failed: This operation is not supported for the Active Directory server created using the "vserver active-directory create" command."

 

So what do I need to do to clear the error? I know it isn't a big deal, but we prefer to have the system in a configuration where there aren't any alerts, keeps the security auditors happy.

1 ACCEPTED SOLUTION

kryan
5,654 Views

Hi - I have alerted the team that manages those AIQ advisory rules so that they can take the necessary corrective action.

View solution in original post

4 REPLIES 4

paul_stejskal
5,665 Views

You can provide feedback on the AIQ site. That may be an error. Another option would be to update to a version of ONTAP where the issue is fixed. That is from 2016 so that tells me you're on Clustered Data ONTAP 8. I would upgrade to ONTAP 9 if you're not already.

 

If you are on 9.x, then it is a false positive and really needs to be fixed. Either way it would be good to contact the Support site folks (by pushing feedback). It may take a day but they will open a ticket and get back with you. I do this from time to time even as a NetApp employee, and get good traction.

 

kryan
5,655 Views

Hi - I have alerted the team that manages those AIQ advisory rules so that they can take the necessary corrective action.

Sycraft
5,650 Views

Thanks, and yes, this until is running OnTAP 9.7P8 so it is almost completely current (I've not yet had time to research and do the 9.8 update).

kryan
5,647 Views

If you PM me the system serial or name I'll share it with the team as well. 

Public