Skip to main content
NetApp Knowledge Base

CIFS client access fails on ONTAP 9.2+ after CIFS password reset

  1. Last updated
  2. Save as PDF
Views:
8,284
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9.2
  • CIFS

Issue    

  • CIFS clients fail to authenticate to the CIFS server
  • EMS errors (secd.cifsAuth.problem) report "KRB5KRB_AP_ERR_BAD_INTEGRITY"

12/31/2018 14:12:31 cluster-01      ERROR         secd.cifsAuth.problem: vserver (vserver) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.11.22.33
  [  2 ms] Error accepting security context for Vserver identifier (8). Decrypt integrity check failed (KRB5KRB_AP_ERR_BAD_INTEGRITY).
**[     4] FAILURE: CIFS authentication failed

  • Manual or Scheduled CIFS password reset
    • Run the following command to check the last time the password was reset for the Vserver

cluster::> vserver cifs domain password schedule show -vserver <vserver>

          Schedule Enabled: true <<<< Whether or not scheduled password reset is enabled
         Schedule Interval: 4   week(s)
Schedule Randomized Within: 120 minute(s)
                  Schedule: Sun@01:00
           Last Changed At: Mon Dec 31 15:23:41 2018 <<<< Last time password was changed either manually or via scheduled reset

Cause

  • A change in ONTAP 9.2+ causes Sessions Setup Requests to receive a different response when the Kerberos ticket is no longer valid due to a password reset. 
  • Prior to 9.2, clients would receive KRB_APP_ERR_MODIFIED which would cause them to refresh their Kerberos ticket for the CIFS server.
  • In unfixed releases of 9.2 and later, clients will receive either STATUS_SERVER_UNAVAILABLE (0xC0000466) or STATUS_UNSUCCESSFUL (0xC0000001) as a response.
  • This response does not cause the client to refresh its Kerberos ticket.
  • This will cause the client to repeatedly fail authentication until the Kerberos ticket is purged either via "klist purge", a client reboot, or waiting for the Kerberos ticket timeout (default 10 hours).

Solution

  • Upgrade to a fixed release for Bug 1206384
  • Workarounds
  1. On the impacted client, reboot, log off, or run klist purge to remove the stale Kerberos ticket
  2. Wait for clients to refresh their Kerberos tickets. By default, this should be within a 10-hour timeframe
  3. Access the CIFS server via IP Address to avoid use of Kerberos and force NTLM authentication
  • Until an upgrade can be performed:
    • Disable scheduled password resets
    • Avoid using the 'vserver cifs password-reset -vserver <SVM_NAME>' command.

Additional Information

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.