ONTAP Hardware

SVM error no netlogon servers after SMB change on both AD domain controllers

kds86
37,768 Views

In response to the recent WannaCry ransomware, I applied a change to both of our DCs (used this PS command: 

Set-SmbServerConfiguration -enableSMB1Protocol $false -confirm:$false ) in an effort to disable the vulnerable

SMB protocol. However, within minutes of making this change the NetApp sent me an urgent email stating:

 

Node: Storage-01

Severity: EMERGENCY

Message: secd.netlogon.noServers: None of the Netlogon servers configured for Vserver (SVM) are currently

accessible via the network.

 

I did not wait to see what impact this change had made on our environment, and so I immediately reversed this

changed on both DCs. 

 

I would like to know what "broke" because of this change, and then what needs to be changed on the NetApp to

make possible the disabling of the vulnerable SMB protocol on both of our DCs without it disrupting service in 

our environment.

1 ACCEPTED SOLUTION

skneo
37,689 Views

So, following the directions in the article, once I enable SMB2 on the NetApp, it will use SMB2 to communicate with the two DCs, right?

yes

 

Does enabling SMB2 on the NetApp also result in SMB1 being disabled as a protocol to use with DCs, or does it have to be explicitly disabled?

no you enable smb2 support only

 

if you show on fields after enable smb2 it is smb1-enabled-for-dc-connections = system-default and -smb2-enabled-for-dc-connections = true

 

you could but i have not try this

 

SMB2 Only

vserver cifs security modify -vserver netapp -smb1-enabled-for-dc-connections false

vserver cifs security modify -vserver netapp -smb2-enabled-for-dc-connections system-default

----

SMB1 / 2 abd 2 as default

vserver cifs security modify -vserver netapp -smb1-enabled-for-dc-connections true

vserver cifs security modify -vserver netapp -smb2-enabled-for-dc-connections system-default

 

 

Last question, given the concern with this latest ransomware and SMB1, should SMB1 as it pertains to the client connections, also be disabled on the NetApp, and if so, how?

i think netapp controllers not affected. if you sure that no old client or application need smb1 you can dissable smb1 but i think is not necessary.

View solution in original post

9 REPLIES 9

kds86
37,738 Views

Thanks for the quick and very helpful reply. I read the article and have only displayed the current settings so far. I noticed SMB1,2, 3 and 3.1 are enabled on the NetApp. Our two DCs show SMB 3.1 as the protocol they are using (in addition to SMB1 being enabled on them too), so I am wondering if the error that was generated when I disabled SMB1 on the two DCs essentially would have been informative only and not indicative of a complete break in connection with the DCs as it first appeared? Would the NetApp not have reverted to one of its other enabled SMB protocol versions to sustain its connection to the DCs? Would it not have "discovered" it could connect via SMB 3.1 and resumed normal operation with the DCs? If so, could I simply disable SMB1 on those DCs as before and simply ignore the alert from the NetApp?

skneo
37,732 Views

SMB1,2, 3 and 3.1 are enabled on the NetApp Controller for Clients Browse SMB Cifs this has nothing to do with the dc connection.

Dont mix client connections to storage for cifs services and netappcontroller as a client for dc connections.

kds86
37,722 Views

Ah, thanks for pointing out the difference.

 

So, following the directions in the article, once I enable SMB2 on the NetApp, it will use SMB2 to communicate with the two DCs, right? Does enabling SMB2 on the NetApp also result in SMB1 being disabled as a protocol to use with DCs, or does it have to be explicitly disabled?

 

Last question, given the concern with this latest ransomware and SMB1, should SMB1 as it pertains to the client connections, also be disabled on the NetApp, and if so, how?

skneo
37,690 Views

So, following the directions in the article, once I enable SMB2 on the NetApp, it will use SMB2 to communicate with the two DCs, right?

yes

 

Does enabling SMB2 on the NetApp also result in SMB1 being disabled as a protocol to use with DCs, or does it have to be explicitly disabled?

no you enable smb2 support only

 

if you show on fields after enable smb2 it is smb1-enabled-for-dc-connections = system-default and -smb2-enabled-for-dc-connections = true

 

you could but i have not try this

 

SMB2 Only

vserver cifs security modify -vserver netapp -smb1-enabled-for-dc-connections false

vserver cifs security modify -vserver netapp -smb2-enabled-for-dc-connections system-default

----

SMB1 / 2 abd 2 as default

vserver cifs security modify -vserver netapp -smb1-enabled-for-dc-connections true

vserver cifs security modify -vserver netapp -smb2-enabled-for-dc-connections system-default

 

 

Last question, given the concern with this latest ransomware and SMB1, should SMB1 as it pertains to the client connections, also be disabled on the NetApp, and if so, how?

i think netapp controllers not affected. if you sure that no old client or application need smb1 you can dissable smb1 but i think is not necessary.

MattT
37,523 Views

It looks like the questions have been answered already.  I just wanted to make you aware that there is a bit of additional info on ONTAP and SMB 1.0 that can be had at the below link as long as you have a NetApp support site login.

 

https://kb.netapp.com/support/s/article/ka61A0000008a55/Is-it-possible-to-disable-SMB-1-0-in-ONTAP

 

kds86
37,489 Views

Thanks Matt. Between this post and the latest reply to my support incident I think I have the answers I need.

 

I did try to access the link you provided but receive a message stating, "Sorry, you do not have access to NetApp's CRM (CE/PE) or Knowledge base."

I had the same problem when trying to access a link the support tech provided. In the end he simply attached a text file with the contents of the article.

 

mhpremier
30,522 Views

I know this is a little bit of an old thread, but we were seeing this problem and it turned out to be clock drift between the cluster and the domain controller. Still haven't figured out what's causing the time to randomly drift though. 

yanisjoplin
25,368 Views
Hello!

I have presented this same problem and I have also had problems with the cluster clock and the domain controller, only the cluster time is changed. Have you been able to solve this problem?
Public