Solved: Altavault Having issues accessing CIFS/SMB

Chiatan · ‎2018-01-16

Hello All,

Need a bit of help, we have recently installed AltaVault (4.4), we are having issues accesing CIFS shares, here are errors we are seeing.

an 16 14:12:28 localhost smbd[4484]: [function/auth.WARN] (5003) [UserLogin] oem_auth_handover: Unsupported NTLMv1 authentication (user attempting login:chaitanc)
Jan 16 14:12:28 localhost smbd[4484]: [function/auth.INFO] (5003) [UserLogin] oem_auth_handover: NTLMv2 user (mfladm-chaitanc) login status 0xc0000022
Jan 16 14:12:28 localhost smbd[4484]: [handler/base.INFO] (18464) NetBiosTransport [0x19865e0] getBytes: sockFD: 21 errno: 104
Jan 16 14:12:28 localhost smbd[4484]: [handler/base.INFO] (18464) NetBiosTransport [0x19865e0] terminate: sockFD: 21
Jan 16 14:12:28 localhost smbd[4484]: [object/connection.INFO] (18464) Connection [0x19d4000] receiveWorker: connection terminated. status: 0xc000020d
Jan 16 14:12:28 localhost smbd[4484]: [object/connection.INFO] (18464) Connection [0x19d4000] receiveWorker: start termination
Jan 16 14:12:28 localhost smbd[4484]: [object/connection.INFO] (18465) Connection [0x19d4000] sendWorker: terminated
Jan 16 14:12:28 localhost smbd[4484]: [object/connection.INFO] (18464) Connection [0x19d4000] receiveWorker: terminated
Jan 16 14:12:33 localhost statsd[5803]: event_pending: event has no event_base set.

I have followed this, but no help..

How to ensure Kerberos connections to AltaVault data interfaces

Document ID HO1008 Description

How to accomplish Kerberos-based connections to AltaVault data interfaces.

It is often found that AltaVault is joined to a domain using the management interface and that creates a DNS entry for the management interface.
While backup applications can still connect to the data interfaces, close observation shows that this connection to data interfaces is using the NTLM protocol.

In some situations, connections over NTLM are considered undesirable
Example:

FIPS mode prohibits the use of NTLM including NTLMv2
Some customers may have deployed a domain policy that prohibits NTLM.
Network Security: Restrict NTLM: NTLM authentication in this domain provides some details of how this is accomplished.

Assume the management interface is used to domain join. This creates a DNS entry for the management interface.
To enable Kerberos, for EACH data interface:

You MUST manually add a DNS entry (for each data interface)
You MUST manually add an SPN (for each data interface)
You MUST manually flush the SMB client cache (reboot the Windows client(s) or logoff and logon (from the Windows client(s))

Anyone had similar problem ?

Thanks

Chaitan

chriswong · ‎2018-01-17

Hi,

When you map the share, you should be using the FQDN of the share and AVA interface. For example, if I've set the share called share1, and an interface e0a to an IP address 10.20.30.40, then you should have a corresponding DNS entry like AVA_e0a mapping to 10.20.30.40. Then, when you map a drive in Windows Explorer, you can use the path \\AVA_e0a\share1. NTLM only occurs if you're unable to use kerberos, such as when calling a share by IP and not DNS name.

Does that help?

Regards,

Chris

View solution in original post

chriswong · ‎2018-01-17

Hi,