ONTAP Discussions

Windows 2003 access CIFS share folder

DiVRa
7,116 Views

We have some legacy software on Windows 2003 server unable to go higher.
Made a share on 2070 cluster with local user access to it and all anonimous blocked.
When windows 10 / 2019 tries get in - no problems. Security logs get NTLMv2 auth.
With Windows 2003, logs show guest authentication attempt that fails.

 

When I try to get in parent \\10.10.10.10\ - authentication goes as planned with local netApp credentials.

<Data Name="TargetUserIsLocal">true</Data>

<Data Name="TargetDomainName">5NETAPP-SVMSH</Data>

<Data Name="AuthenticationPackageName">NTLM_V2</Data>

After that on clicking a folder and etnering credentials - error on "wrong password\user" and guest attemts in log.

<Data Name="IpPort">1090</Data>

<Data Name="TargetUserSid">S-1-0-0</Data>

<Data Name="TargetUserName">Guest</Data>

<Data Name="TargetDomainName">NoDomain</Data>

<Data Name="Status">0xc0000001</Data>

<Data Name="FailureReason">%%2313</Data>

<Data Name="FailureReasonString">The requested operation was unsuccessful</Data>

<Data Name="AuthenticationPackageName">NONE</Data>

<Data Name="LogonType">3</Data>

UPD:  SMBv1 is enabled

12 REPLIES 12

parisi
7,106 Views

Windows 2003 supports SMB v 1.0 only, so I'd check the cluster to see if you have SMB 1.0 enabled.

DiVRa
7,101 Views

It is enabled and checked.

 

vserver cifs options show -vserver 

                            Client Session Timeout: 900
                              Copy Offload Enabled: false
                                Default Unix Group: -
                                 Default Unix User: pcuser
                                   Guest Unix User: -
               Are Administrators mapped to 'root': true
           Is Advanced Sparse File Support Enabled: true
                  Is Fsctl File Level Trim Enabled: true
                  Direct-Copy Copy Offload Enabled: false
                           Export Policies Enabled: false
            Grant Unix Group Permissions to Others: false
                          Is Advertise DFS Enabled: true
     Is Client Duplicate Session Detection Enabled: true
               Is Client Version Reporting Enabled: true
                                    Is DAC Enabled: false
                      Is Fake Open Support Enabled: false
                         Is Hide Dot Files Enabled: false
                              Is Large MTU Enabled: false
                             Is Local Auth Enabled: true
                 Is Local Users and Groups Enabled: true
                           Is Multichannel Enabled: false
            Is NetBIOS over TCP (port 139) Enabled: true
               Is NBNS over UDP (port 137) Enabled: false
                               Is Referral Enabled: false
             Is Search Short Names Support Enabled: false
  Is Trusted Domain Enumeration And Search Enabled: true
                        Is UNIX Extensions Enabled: false
          Is Use Junction as Reparse Point Enabled: true
                               Max Multiplex Count: 255
          Max Connections per Multichannel Session: 32
                 Max LIFs per Multichannel Session: 256
              Max Same User Session Per Connection: 2500
                 Max Same Tree Connect Per Session: 5000
                      Max Opens Same File Per Tree: 1000
                          Max Watches Set Per Tree: 500
                   Is Path Component Cache Enabled: true
    NT ACLs on UNIX Security Style Volumes Enabled: true
                                  Read Grants Exec: disabled
                                  Read Only Delete: disabled
                  Reported File System Sector Size: 4096
                                Restrict Anonymous: no-restriction
                              Shadowcopy Dir Depth: 5
                                Shadowcopy Enabled: true
                                      SMB1 Enabled: true
                  Max Buffer Size for SMB1 Message: 65535
                                      SMB2 Enabled: true
                                      SMB3 Enabled: true
                                    SMB3.1 Enabled: false
            Map Null User to Windows User or Group: nodoby
                                      WINS Servers: -
         Report Widelink as Reparse Point Versions: SMB1
                              Max Credits to Grant: 128

parisi
7,097 Views

What user is "nodoby"?

 

    Map Null User to Windows User or Group: nodoby

 

I'm guessing that was a fat finger/typo.

 

This link covers configuring the NULL user for access:

 

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-76186CB7-BFD0-4EA1-9CA5-07DC8D6A2BAF.html 

DiVRa
7,091 Views

Changed that, thanks. Still no go

 

parisi
7,088 Views

Did you also set up the name mapping rules as per the doc link?

 

What do you see in "event log show"?

DiVRa
7,086 Views

Actually no, as there's no anonimous login option. Only authenticatred users.

 

parisi
7,084 Views

You may want to open up a support ticket for this, then.

DiVRa
7,079 Views

I wish I could. The system allways tells me to contact a reseller instead of creating a case.

ttran
6,923 Views

Hi DiVRa,

 

As @parisi mentioned, you must create a Windows to UNIX name-mapping rule for the "nodoby" user that the NULL/Anonymous user is being mapped. The "nodoby" Windows user must now be mapped to a UNIX user specified in ONTAP or you can use one of the default users called "pcuser". 

 

Command to create a local UNIX user:

::> vserver services name-service unix-user create -vserver vserver_name -user user_name -id integer -primary-gid integer -full-name full_name

 

Here is a reference document on creating a local Unix user:

Creating a local UNIX user 

 

Here is a KB you can follow that addresses the allowing NULL user access:

How to grant access to NULL (Anonymous) user in Clustered Data ONTAP 

 

Here is a reference document for name-mapping:

Creating a name mapping 

 

More reference documentation on null user access:

How the storage system provides null session access 

 

 

Regards,

 

Team NetApp

Team NetApp

Mjizzini
6,688 Views

How to grant access to NULL (Anonymous) user in Clustered Data ONTAP.

Make sure that you are not using flexgroup volume. SMB1 is not supported on it yet.

JeffT
2,271 Views

Just dropping a note for others who may run into this issue.  For me, using OnTap 9.1P2, using a flexgroup was the issue.  Once I created a non-flexgroup volume and shared it, my windows 2003 clients could connect.  And, yes, I realize that it is 2024 but the customer cannot or will not upgrade some items 🙁

parisi
2,270 Views
The flexgroup/non-flexgroup issue with Win 2003 is because Win 2003 only supported SMB 1.0, which FlexGroup volumes do not support.
Public