Hyper-V over SMB

NetApP_3260 · ‎2023-06-06

I am planning to build NetApp in a Hyper-V over SMB.

The documentation states that both Kerberos and NTLMv2 authentication must be allowed, and that NTLMv2 authentication will be used in the remote VSS process.

If we are not using a VSS-linked backup solution, will NTLMv2 authentication be used?

The ONTAP version is not CVE-20122-38023 compliant. Is there a need to upgrade the version?

Ontapforrum · ‎2023-06-08

It's a good question and I get your point.

I think I read somewhere that - "ONTAP does not advertise the Kerberos service for Remote VSS; therefore, the domain should be set to allow ntlmv2."

So, you just want to run the hypver-v VMs on file-share (SMB3.0) and without their protection for vss-aware-applications?

Regarding - CVE-2022-38023:
If you are purely 'kerberos' authenticated environment, this advisory will not impact. But, for your hyper-v envrionemnt, b'cos ONTAP does not advertise the Kerberos service for Remote VSS, it needs to be enabled. And, if you enable this service, then you must comply with the patched ONTAP version otherwise, Domain (RequireSeal:2 is set) will reject it.

Does CVE-2022-38023 have any impact to ONTAP 9?
https://kb.netapp.com/onprem/ontap/da/NAS/Does_CVE-2022-38023_have_any_impact_to_ONTAP_9

I would raise a ticket with NetApp to find out how to deal with this? and if you get feedback then please do share with us.

NetApP_3260 · ‎2023-06-11

Thank you for your response.
Yes, just using NetApp's SMB share as a Hyper-V datastore,
There is no protection implemented in the application using the VSS.

Hyper-V over SMB

Portfolio Updates | NetApp ONAIR