ONTAP Discussions

Windows 2003 access CIFS share folder

DiVRa

We have some legacy software on Windows 2003 server unable to go higher.
Made a share on 2070 cluster with local user access to it and all anonimous blocked.
When windows 10 / 2019 tries get in - no problems. Security logs get NTLMv2 auth.
With Windows 2003, logs show guest authentication attempt that fails.

 

When I try to get in parent \\10.10.10.10\ - authentication goes as planned with local netApp credentials.

<Data Name="TargetUserIsLocal">true</Data>

<Data Name="TargetDomainName">5NETAPP-SVMSH</Data>

<Data Name="AuthenticationPackageName">NTLM_V2</Data>

After that on clicking a folder and etnering credentials - error on "wrong password\user" and guest attemts in log.

<Data Name="IpPort">1090</Data>

<Data Name="TargetUserSid">S-1-0-0</Data>

<Data Name="TargetUserName">Guest</Data>

<Data Name="TargetDomainName">NoDomain</Data>

<Data Name="Status">0xc0000001</Data>

<Data Name="FailureReason">%%2313</Data>

<Data Name="FailureReasonString">The requested operation was unsuccessful</Data>

<Data Name="AuthenticationPackageName">NONE</Data>

<Data Name="LogonType">3</Data>

UPD:  SMBv1 is enabled

10 REPLIES 10

Re: Windows 2003 access CIFS share folder

parisi

Windows 2003 supports SMB v 1.0 only, so I'd check the cluster to see if you have SMB 1.0 enabled.

Re: Windows 2003 access CIFS share folder

DiVRa

It is enabled and checked.

 

vserver cifs options show -vserver 

                            Client Session Timeout: 900
                              Copy Offload Enabled: false
                                Default Unix Group: -
                                 Default Unix User: pcuser
                                   Guest Unix User: -
               Are Administrators mapped to 'root': true
           Is Advanced Sparse File Support Enabled: true
                  Is Fsctl File Level Trim Enabled: true
                  Direct-Copy Copy Offload Enabled: false
                           Export Policies Enabled: false
            Grant Unix Group Permissions to Others: false
                          Is Advertise DFS Enabled: true
     Is Client Duplicate Session Detection Enabled: true
               Is Client Version Reporting Enabled: true
                                    Is DAC Enabled: false
                      Is Fake Open Support Enabled: false
                         Is Hide Dot Files Enabled: false
                              Is Large MTU Enabled: false
                             Is Local Auth Enabled: true
                 Is Local Users and Groups Enabled: true
                           Is Multichannel Enabled: false
            Is NetBIOS over TCP (port 139) Enabled: true
               Is NBNS over UDP (port 137) Enabled: false
                               Is Referral Enabled: false
             Is Search Short Names Support Enabled: false
  Is Trusted Domain Enumeration And Search Enabled: true
                        Is UNIX Extensions Enabled: false
          Is Use Junction as Reparse Point Enabled: true
                               Max Multiplex Count: 255
          Max Connections per Multichannel Session: 32
                 Max LIFs per Multichannel Session: 256
              Max Same User Session Per Connection: 2500
                 Max Same Tree Connect Per Session: 5000
                      Max Opens Same File Per Tree: 1000
                          Max Watches Set Per Tree: 500
                   Is Path Component Cache Enabled: true
    NT ACLs on UNIX Security Style Volumes Enabled: true
                                  Read Grants Exec: disabled
                                  Read Only Delete: disabled
                  Reported File System Sector Size: 4096
                                Restrict Anonymous: no-restriction
                              Shadowcopy Dir Depth: 5
                                Shadowcopy Enabled: true
                                      SMB1 Enabled: true
                  Max Buffer Size for SMB1 Message: 65535
                                      SMB2 Enabled: true
                                      SMB3 Enabled: true
                                    SMB3.1 Enabled: false
            Map Null User to Windows User or Group: nodoby
                                      WINS Servers: -
         Report Widelink as Reparse Point Versions: SMB1
                              Max Credits to Grant: 128

Re: Windows 2003 access CIFS share folder

parisi

What user is "nodoby"?

 

    Map Null User to Windows User or Group: nodoby

 

I'm guessing that was a fat finger/typo.

 

This link covers configuring the NULL user for access:

 

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-76186CB7-BFD0-4EA1-9CA5-07DC8D6A2BAF.html 

Re: Windows 2003 access CIFS share folder

DiVRa

Changed that, thanks. Still no go

 

Re: Windows 2003 access CIFS share folder

parisi

Did you also set up the name mapping rules as per the doc link?

 

What do you see in "event log show"?

Re: Windows 2003 access CIFS share folder

DiVRa

Actually no, as there's no anonimous login option. Only authenticatred users.

 

Re: Windows 2003 access CIFS share folder

parisi

You may want to open up a support ticket for this, then.

Re: Windows 2003 access CIFS share folder

DiVRa

I wish I could. The system allways tells me to contact a reseller instead of creating a case.

Re: Windows 2003 access CIFS share folder

ttran

Hi DiVRa,

 

As @parisi mentioned, you must create a Windows to UNIX name-mapping rule for the "nodoby" user that the NULL/Anonymous user is being mapped. The "nodoby" Windows user must now be mapped to a UNIX user specified in ONTAP or you can use one of the default users called "pcuser". 

 

Command to create a local UNIX user:

::> vserver services name-service unix-user create -vserver vserver_name -user user_name -id integer -primary-gid integer -full-name full_name

 

Here is a reference document on creating a local Unix user:

Creating a local UNIX user 

 

Here is a KB you can follow that addresses the allowing NULL user access:

How to grant access to NULL (Anonymous) user in Clustered Data ONTAP 

 

Here is a reference document for name-mapping:

Creating a name mapping 

 

More reference documentation on null user access:

How the storage system provides null session access 

 

 

Regards,

 

Team NetApp

Team NetApp

Re: Windows 2003 access CIFS share folder

Mjizzini

How to grant access to NULL (Anonymous) user in Clustered Data ONTAP.

Make sure that you are not using flexgroup volume. SMB1 is not supported on it yet.

Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Public