ONTAP Hardware

CIFS authentication security level

SVHO
9,958 Views

Hello,

 

Our security team wants to turn off NTLM  on our NetApp NAS.  From reading the KB below and verifying, our setting is set at the default which accepts everything listed from the article.  We want to allow NTLMv2 and Kerberos.  My question is by changing the setting, does it disconnect all current connections that are not reflective of the new security level?  Do I have to stop the SVM to disconnect all connections? 

 

I just want to make sure the security team no longer see any logs pertaining to NTLM.

 

Example: Device1 connected on NTLM.  Once the new security level is updated, does that connection get disconnected?

 

https://library.netapp.com/ecmdocs/ECMP1610207/html/GUID-861C90E9-A8B2-405C-9020-0C38679BD72B.html

 

We are on 9.3p18

Thanks,

TT

1 ACCEPTED SOLUTION

Ontapforrum
9,904 Views

Stopping SVM Service will stop data access on this SVM through all allowed protocols. Instead you can just stop the CIFS server and restart it. Of course this means, all the sessions currently active will drop off. However, when they re-connect they will be using new auth-mechanism.

View solution in original post

6 REPLIES 6

Ontapforrum
9,917 Views

Only new sessions will have the latest update (i.e changed -lm-compatibility-level). Rest of the sessions which are already logged in using NTLM will continue to stay up. In order to have them negotiate new security update, they need to be closed their session first.

 

You should be able to filter those users using NTLM via this cmd:
::> vserver cifs session show -vserver <vserver> -fields session-id,auth-mechanism

 

You should then be able to close those session-id, once this is done, next time when they login they will use the updated security (auth-mechanism)

 

This article may help in closing sessions for those using NTLM security.
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_terminate_a_CIFS_sessions_in_ONTAP_9_for_specific_Windows_users

Ontapforrum
9,916 Views

For filtering specific users using NTLMv1:

 vserver cifs session show -vserver <vserver> -fields session-id,auth-mechanism  -auth-mechanism NTMLv1

SVHO
9,911 Views

Thank you for the response.  Lets say if I stop the SVM service, would that also terminate the sessions? 

Ontapforrum
9,905 Views

Stopping SVM Service will stop data access on this SVM through all allowed protocols. Instead you can just stop the CIFS server and restart it. Of course this means, all the sessions currently active will drop off. However, when they re-connect they will be using new auth-mechanism.

SVHO
9,813 Views

Thank you so much!  I probably will terminate the sessions after the security update since we have less than 10 connections with NTLMv1.

 

TT

harikapabba
6,456 Views

HI,

 

Can someone please guide me on how to set both the authentication methods(NTLMv2 & Kerberos) on cifs, any command reference is appreciated for ONTAP cluster.

NetApp Release 9.1P14

Public