ONTAP Discussions

"The network password is not correct" for cifs mount domain users in separate Windows domain

moondog-icsi
2,684 Views

We are migrating things from Solaris zfs and samba 3.6 to cifs on a NetApp with Ontap9.7.  One of those things is a share which is its own mount point, using mixed security (unix-based for access in RHEL machines).  We have it configured for NFS and CIFS.

 

What's happening is that we have two Windows domains, which are not allowed to have any kind of trust between them.  We create a user account in linux, and the two domains, using the same username for all three places.  Domain 1 and the unix-ish systems speak to each other through Domain1's Server 2012r2 domain controllers.  Domain2's systems used to have guest/anonymous access to read and execute this share before it moved, but now users are getting "The network password is not correct" errors on group policy applying the script that's supposed to fire on every logon and logoff event.  My domain accounts work perfectly fine, because we have domain admin accounts mapped to root, but regular users are getting this password error.

 

I've verified domain1's DCs are configured using "vserver cifs domain discovered-servers show", and the two DCs in the domain are listed as "slow" and "OK" for MS-DC, and "undetermined" for MS-LDAP and KERBEROS.  I think what is happening is that the user logs on to their machine in domain2, and the Ontap cifs options try to apply domain1's user account to that username.  Since most of these users rarely, if ever, use their domain1 user account, there should be a much greater than average chance their username and passwords are separate for both domains. 

 

So, how do I get this configured so that domain2 users can run the logon script on the NetApp share?  I saw some KB stuff about null-session clients, but does that apply here?  My attempt to configure a null-session user mapping does not seem to have changed anything.  I also know there is a default UNIX group and a guest account option, neither of which is currently configured on our filer.  

3 REPLIES 3

Mjizzini
2,660 Views

A by-directional trust is needed for the vserver to collect the credentials of the user from the second domain.

You can try to grant access for Anonymous.

How to grant access to NULL (Anonymous) user in Clustered Data ONTAP

 

moondog-icsi
2,629 Views

Does it have to be anonymous user?  I tried doing this with the pattern as "DOMAIN\\(.+)", since they are coming from the other domain.

GidonMarcus
2,579 Views

Sorry I'll be short as I just lost a 2 pages long comment on this post (session timeout):

 

1. user-mapping is not there to be used by multiple domains. It's there to facilitate Windows access to ONTAP (Unix based), and to allow mapping of UNIX user who wish to access a volume with NTFS permissions on.

GidonMarcus_0-1617324096253.png

(taken from: https://www.netapp.com/pdf.html?item=/media/16328-tr-4668pdf.pdf)

 

 

2. I suspect guest access would not work on Windows 10,  and it neither should be - as the clients should only access file servers they have trust-relationship with (especially if they're running scripts from it, good example for it: the "BadSamba" extension in metasploit).

https://techcommunity.microsoft.com/t5/itops-talk-blog/how-to-defend-users-from-interception-attacks-via-smb-client/ba-p/1494995  

 

The "golden path" solutions are:

A. have dedicated SVM to each domain with the copy of the data (script?).

B. When a user does need to access an object in a domain they're not member-of; they need to authenticate to this domain (even if the machine itself is on another domain). Not much of a way around it (if you want to have actual authentication for the platform).

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
Public