ONTAP Discussions
ONTAP Discussions
At the end of October we updated our FAS8040 to ONTAP 9.2P1. Since then we get the message "secd.cifsAuth.problem: vserver (SVM_NAME) General CIFS authentication problem on all SVMs Error: User authentication procedure failed CIFS SMB2 Share mapping - Client Ip = xxx.xx.xx.xxx [3 ms ] Error accepting security context for Vserver identifier (27). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW). ** [6] FAILURE: CIFS authentication failed ". We have checked the times on the SVMs and the affected servers / clients, they are the same everywhere. We only use one NTP server, which is defined on each system.
Solved! See The Solution
Although we have no solution for the messages in our Event Log, but this notice from NetApp from 27.11.2017 get to our message:
https://kb.netapp.com/app/answers/answer_view/a_id/1005337/loc/en_US
and
https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1041972
Hi,
Did you log a case? If so what's the case number? Does the vserver have a route and can it connect to a DC and your NTP server?
Also have you checked the timezone on the cluster is correct? Have you checked the firewall policy on the vserver management LIFs?
Assuming you have configured and validated NTP configuration on the cluster. EG:
cluster::> cluster time-service ntp server create -server x.x.x.x -is-preferred true cluster::> cluster time-service ntp server validate -server x.x.x.x cluster::> cluster time-service ntp server show
What's the output of the above underlined commands?
/Matt
Hi Matt,
Did you log a case? No, no case yet.
Does the vserver have a route and can it connect to a DC and your NTP server? Yes. All concerned vserver have a route to the DC and to our NTP server.
Also have you checked the timezone on the cluster is correct? Yes, the cluster time is correct and it's the same time as on our Windows-server.
Have you checked the firewall policy on the vserver management LIFs? We have no firewall policy on the management LIF's.
Here is the desired output of the given commands:
cluster time-service ntp server validate -server xxx.xx.xxx.xxx :
"Error: "validate" is not a recognized command"
cluster time-service ntp server show
Server Version
------------------------------ -------
ntp.stadtdo.de auto
Regards,
Thorsten
Hi Thorsten,
I forgot to mention the "validate" command is only available in diag mode. EG:
cluster1::> timezone Timezone: Australia/Sydney cluster1::> set diag Warning: These diagnostic commands are for use by NetApp personnel only. Do you want to continue? {y|n}: y cluster1::*> cluster time-service ntp server create delete modify reset show validate cluster1::> cluster time-service ntp server show Server Version ------------------------------ ------- ntp.testlab.local auto cluster1::*> cluster time-service ntp server validate -server ntp.testlab.local
Does the cluster management LIF have a firewall policy and does that firewall policy allow NTP and DNS? EG:
cluster1::*> net int show -role cluster-mgmt -fields firewall-policy (network interface show) vserver lif firewall-policy -------- ------------------ --------------- cluster1 cluster1_mgmt_lif1 mgmt cluster1::*> firewall policy show -vserver cluster1 -policy mgmt (system services firewall policy show) Vserver Policy Service Allowed ------- ------------ ---------- ------------------- cluster1 mgmt dns 0.0.0.0/0 http 0.0.0.0/0 https 0.0.0.0/0 ndmp 0.0.0.0/0 ndmps 0.0.0.0/0 ntp 0.0.0.0/0 snmp 0.0.0.0/0 ssh 0.0.0.0/0 8 entries were displayed.
Are clients denied access when connecting to the vserver? If so what's their registry value of:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA Value: RestrictAnonymous Value Type: REG_DWORD Value Data: 0x1 (Hex)
It does sound like your NTP configuration is correct, therefore i'd advise the next step would be to log a case
/Matt
Hello Matt,
Here are the results of the commands:
FAS80402::> timezone
Timezone: Europe/Berlin
FAS80402::*> cluster time-service ntp server show
Is-Preferred Is-Public
Server Version Server Server Default
------------------------------ -------- ------------ --------------
ntp.stadtdo.de auto true false
FAS80402::*> cluster time-service ntp server validate -server ntp.stadtdo.de
FAS80402::*> net int show -role cluster-mgmt -fields firewall-policy
(network interface show)
vserver lif firewall-policy
-------- ------------ ---------------
FAS80402 cluster_mgmt mgmt
FAS80402::*> firewall policy show -vserver FAS80402 -policy mgmt
(system services firewall policy show)
Vserver Policy Service Allowed
------- ------------ ---------- -------------------
FAS80402
mgmt
dns 0.0.0.0/0
http 0.0.0.0/0
https 0.0.0.0/0
ndmp 0.0.0.0/0
ndmps 0.0.0.0/0
ntp 0.0.0.0/0
snmp 0.0.0.0/0
ssh 0.0.0.0/0
8 entries were displayed.
I once searched for the entry you mentioned using regedit on one of the affected servers. Here is the result (see the attached file).
Regards,
Thorsten
Although we have no solution for the messages in our Event Log, but this notice from NetApp from 27.11.2017 get to our message:
https://kb.netapp.com/app/answers/answer_view/a_id/1005337/loc/en_US
and
https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1041972