- ONTAP 9.2 +
- CIFS clients fail to authenticate to the CIFS server
- EMS errors (
secd.cifsAuth.problem) report "
12/31/2018 14:12:31 cluster-01 ERROR secd.cifsAuth.problem: vserver (vserver) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.11.22.33
[ 2 ms] Error accepting security context for Vserver identifier (8). Decrypt integrity check failed (KRB5KRB_AP_ERR_BAD_INTEGRITY).
**[ 4] FAILURE: CIFS authentication failed
- Manual or Scheduled CIFS password reset
- Run the following command to check the last time the password was reset for the Vserver
cluster::> cifs domain password schedule show -vserver <vserver>
Schedule Enabled: true <<<< Whether or not scheduled password reset is enabled
Schedule Interval: 4 week(s)
Schedule Randomized Within: 120 minute(s)
Last Changed At: Mon Dec 31 15:23:41 2018 <<<< Last time password was changed either manually or via scheduled reset
- A change in ONTAP 9.2+ causes Sessions Setup Requests to receive a different response when the Kerberos ticket is no longer valid due to a password reset.
- Prior to 9.2, clients would receive
KRB_APP_ERR_MODIFIEDwhich would cause them to refresh their Kerberos ticket for the CIFS server.
- After 9.2, clients will receive either
Unknown (0xC0000466) or
STATUS_UNSUCCESSFULas a response.
- This response does not cause the client to refresh its Kerberos ticket.
- This will cause the client to repeatedly fail authentication until the Kerberos ticket is purged either via "
klist purge", a client reboot, or waiting for the Kerberos ticket timeout (default 10 hours).
Currently, this behavior is being investigated via ONTAP bug 1206384.
- Reboot OR run a '
klist purge' from the client machine to remove the stale Kerberos ticket
- Wait for clients to refresh their Kerberos tickets. By default, this should be within a 10-hour timeframe
- Access the CIFS server via IP to avoid use of Kerberos and force NTLM authentication
Note: Disable scheduled password resets.
Note: Avoid using the '
cifs password-reset -vserver' command.
Subscribe to bug 1206384 for more information as it becomes available.