Skip to main content
NetApp Knowledge Base

Access CIFS share with Kerberos fails due to missing spn

Views:
2,232
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • SMB/CIFS
  • smbclient
  • Windows 10

Issue

  • smbclient cannot connect to CIFS share
 user@linux:~$ smbclient -k  //cifsshare.cifs.lab.netapp.com/foldername
 gensec_spnego_client_negTokenInit_step: gse_krb5: creating
 NEG_TOKEN_INIT for cifs/cifsshare.cifs.lab.netapp.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
 session setup failed:NT_STATUS_INVALID_PARAMETER
 user@linux:~$ kvno -S cifs cifsshare.cifs.lab.netapp.com
 kvno: Server not found in Kerberos database while getting credentials for cifs/cifsshare.cifs.lab.netapp.com@cifs.lab.netapp.com
  • Windows client can access share on SVM testsvm via UNC \\cifsshare.cifs.lab.netapp.com\foldername but ONTAP indicates NTLMv2 authentication instead of Kerberos
cluster::> cifs connection show -node node-01 -vserver testsvm
Node:    Node-01
Vserver: Testsvm
Connection Session                                                Workstation
ID                     IDs                        Workstation IP     Port         LIF IP
------------           -----------------------    --------------     -----        ------------
214212346928           73442240404030430430430    192.168.0.1        55283        192.168.0.10
 
cluster::> cifs session show -node node-01 -vserver testsvm -instance
Vserver: Testsvm
Node: Node-01
Session ID: 214212346928
Connection ID: 73442240404030430430430
[...]
Authentication Mechanism: NTLMv2
[...]
  • KDC is discovered and reachable
  • DNS is correct via IP and FQDN (nslookup)
  • SECD trace indicates that NTLMv2 authentication is directly attempted without kerberos authentication
[kern_secd:info:10057] | [000.000.022]  debug:  Worker Thread 34507227648 processing RPC 151:secd_rpc_auth_extended with request ID:21167 which sat in the queue for 0 seconds.  { in run() at src/server/secd_rpc_server.cpp:2306 }
[kern_secd:info:10057] | [000.000.042]  debug:  Setting thread context. VServerId = 7 (name='testsvm'), Protocol = CIFS, lifId = 0  { in setThreadContext() at src/utils/secd_thread_data_manager.cpp:415 }
[kern_secd:info:10057] | [000.000.053]  debug:  Setting client info Module = 1  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:513 }
[kern_secd:info:10057] | [000.000.060]  debug:  Setting client info Op = 0  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:517 }
[kern_secd:info:10057] | [000.000.066]  debug:  Setting client info OpInstanceId = 197  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:521 }
[kern_secd:info:10057] | [000.000.073]  debug:  Setting client info Client IP = xxxxxxxxxxxxx  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:525 }
[kern_secd:info:10057] | [000.000.081]  debug:  secd_rpc_auth_extended_1_svc called with vserver = testsvm { in secd_rpc_auth_extended_1_svc() at src/authentication/secd_rpc_auth.cpp:1219 }
[kern_secd:info:10057] | [000.000.162]  info :  Login attempt by domain user 'pii_encrypt/u/xxxxxxxxxx=/pii_encrypt' using NTLMv2 style security
  • SPN of the SVM's machine account does not list the FQDN used to access the share (cifsshare.cifs.labnetapp.com)

C:\> setspn -Q host/testsvm
Checking domain DC=cifs,DC=lab,DC=netapp,DC=com
CN=10-53-21-46,CN=Computers,DC=cifs,DC=lab,DC=netapp,DC=com
HOST/testsvm
HOST/testsvm.cifs.lab.netapp.com
CIFS/testsvm.cifs.lab.netapp.com

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.
  • Was this article helpful?