Skip to main content
NetApp Knowledgebase

CIFS client access fails on ONTAP 9.2+ after CIFS password reset

Views:
1,663
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

Applies to

  • ONTAP 9.2 +

Issue    

  • CIFS clients fail to authenticate to the CIFS server
  • EMS errors (secd.cifsAuth.problem) report "KRB5KRB_AP_ERR_BAD_INTEGRITY"

12/31/2018 14:12:31 cluster-01      ERROR         secd.cifsAuth.problem: vserver (vserver) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.11.22.33
  [  2 ms] Error accepting security context for Vserver identifier (8). Decrypt integrity check failed (KRB5KRB_AP_ERR_BAD_INTEGRITY).
**[     4] FAILURE: CIFS authentication failed

  • Manual or Scheduled CIFS password reset
    • Run the following command to check the last time the password was reset for the Vserver

cluster::> cifs domain password schedule show -vserver <vserver>

          Schedule Enabled: true <<<< Whether or not scheduled password reset is enabled
         Schedule Interval: 4   week(s)
Schedule Randomized Within: 120 minute(s)
                  Schedule: Sun@01:00
           Last Changed At: Mon Dec 31 15:23:41 2018 <<<< Last time password was changed either manually or via scheduled reset

Cause

  • A change in ONTAP 9.2+ causes Sessions Setup Requests to receive a different response when the Kerberos ticket is no longer valid due to a password reset. 
  • Prior to 9.2, clients would receive KRB_APP_ERR_MODIFIED which would cause them to refresh their Kerberos ticket for the CIFS server.
  • After 9.2, clients will receive either Unknown (0xC0000466) or STATUS_UNSUCCESSFUL as a response.
  • This response does not cause the client to refresh its Kerberos ticket.
  • This will cause the client to repeatedly fail authentication until the Kerberos ticket is purged either via "klist purge", a client reboot, or waiting for the Kerberos ticket timeout (default 10 hours).

Currently, this behavior is being investigated via ONTAP bug 1206384.

Solution

Workarounds

  1. Reboot OR run a 'klist purge' from the client machine to remove the stale Kerberos ticket
  2. Wait for clients to refresh their Kerberos tickets. By default, this should be within a 10-hour timeframe
  3. Access the CIFS server via IP to avoid use of Kerberos and force NTLM authentication

Note: Disable scheduled password resets.

Note: Avoid using the 'cifs password-reset -vserver' command.

Subscribe to bug 1206384 for more information as it becomes available.

Additional Information

Related Articles (document other known reasons why KRB5KRB_AP_ERR_BAD_INTEGRITY may be seen)

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support