ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

SVM unable to join CIFS to Windows Server 2003 AD

jeffrey24
‎2024-12-17 01:22 AM
463 Views

Dear all, 

 

I have been facing Netapp Ontap Storage VM issues of joining CIFS to Windows server 2003 AD.

 

I am on Netapp ontap 9.14.

 

I understand that Windows Server 2003 cannot support AES and can only support  SMB1 authentication. Therefore disabled AES 128 and 256 under:

 

-vserver cifs security modify : -advertised-enc-types {DES,RC4}
--aes-enabled-for-netlogon-channel{false}

--encryption-required-for-dc-connections {false}

-use-ldaps-for-ad-ldap {false}

-smb2-enabled-for-dc-connections{false}

-smb1-enabled-for-dc-connections{true}

I managed to add the Windows server 2003 DNS to my SVM. Despite trying all methods, I am still getting the error KRB5KDC_ERR_ETYPE_NOSUPP when i add my SVM CIFS to Windows server 2003 active directory. Will appreciate any help on this, thanks!

 

With regards,

Jeff

0 Kudos
Tags (2)
3 REPLIES 3

CristianoRossi
NetApp
‎2024-12-17 07:35 AM
409 Views

Usually in this kind of problem secd.log can provide more information on what is going on

 

Not sure there is a way to have it working 

0 Kudos

liu
‎2024-12-17 10:37 PM
375 Views

AES is not enabled on the Vserver  CIFS authentication error: KRB5KDC_ERR_ETYPE_NOSUPP - NetApp Knowledge Base

Check the Windows/UNIX KDC  configuration, If the error is noticed during the filer cifs setup, then the machine account for the server name specified is inconsistent and it needs to be reset at Windows KDC

Kerberos EMS error descriptions - NetApp Knowledge Base

0 Kudos

jeffrey24
‎2025-01-22 07:01 PM
In response to liu
76 Views

Thanks for getting back liu. However, AES isn't supported in Windows Server 2003, which is why i disabled it.

 

As Netapp Ontap only supports DES , therefore I have configured “SupportedEncType” to 3 in Windows Registry to support DES-CBC-MD5 and DES-CBC-CRC.

 

I’ve checked Secd.log ,  Windows event logs and found that DES encryption is successfully reflected during Netapp SVM CIFS attempt to join Windows server 2003. I am also unable to join my Netapp Ontap Network LIFS to Windows server 2003 active directory.

 

In the secd.log , I found the message “master kdc tgs request result -1765328370 kdc has no support for encryption type”. 

 

 

I’ve also configured the below settings for “CIFS Security” before attempting to join my SVM to Windows Server 2003 Directory.

-Disabled SMB Signing for incoming SMB Traffic

-Disabled Use start-TLS for AD LDAP 

-Disabled AES Encryption 

-LM compatibility level : ntlm-ntlmv2-krb

-Enabled SMB1 (Due to Windows server 2003 supporting only SMB1)

-Is-aes-encryption-enabled :False

-session-security-for-ad-ldap : None

-smb1-enabled-for-dc-connections : True

-smb2-enabled-for-dc-connections : False

-referral-enabled-for-ad-ldap : False

-use-ldaps-for-ad-ldap : False

-encryption-required-for-dc-connections: False

-aes-enabled-for-netlogon-channel : False

-try-channel-binding-for-ad-ldap : False

-advertised-enc-types : DES

 

 

Is there any settings that I have missed out on or misconfigured? I have tried all possible configurations in NetApp Ontap and Windows server 2003 side and it does not work. 

 

I have tried configuring Windows Keytab and SVM realm too but it doesn't work.  

0 Kudos
Announcements
All Community Forums
Public