Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

CIFS client access fails on ONTAP 9.2+ after CIFS password reset

Views:
4,950
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

Applies to

  • ONTAP 9.2
  • CIFS

Issue    

  • CIFS clients fail to authenticate to the CIFS server
  • EMS errors (secd.cifsAuth.problem) report "KRB5KRB_AP_ERR_BAD_INTEGRITY"

12/31/2018 14:12:31 cluster-01      ERROR         secd.cifsAuth.problem: vserver (vserver) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.11.22.33
  [  2 ms] Error accepting security context for Vserver identifier (8). Decrypt integrity check failed (KRB5KRB_AP_ERR_BAD_INTEGRITY).
**[     4] FAILURE: CIFS authentication failed

  • Manual or Scheduled CIFS password reset
    • Run the following command to check the last time the password was reset for the Vserver

cluster::> vserver cifs domain password schedule show -vserver <vserver>

          Schedule Enabled: true <<<< Whether or not scheduled password reset is enabled
         Schedule Interval: 4   week(s)
Schedule Randomized Within: 120 minute(s)
                  Schedule: Sun@01:00
           Last Changed At: Mon Dec 31 15:23:41 2018 <<<< Last time password was changed either manually or via scheduled reset

Cause

  • A change in ONTAP 9.2+ causes Sessions Setup Requests to receive a different response when the Kerberos ticket is no longer valid due to a password reset. 
  • Prior to 9.2, clients would receive KRB_APP_ERR_MODIFIED which would cause them to refresh their Kerberos ticket for the CIFS server.
  • In unfixed releases of 9.2 and later, clients will receive either STATUS_SERVER_UNAVAILABLE (0xC0000466) or STATUS_UNSUCCESSFUL (0xC0000001) as a response.
  • This response does not cause the client to refresh its Kerberos ticket.
  • This will cause the client to repeatedly fail authentication until the Kerberos ticket is purged either via "klist purge", a client reboot, or waiting for the Kerberos ticket timeout (default 10 hours).

Solution

  • Upgrade to a fixed release for Bug 1206384
  • Workarounds
  1. On the impacted client, reboot, log off, or run klist purge to remove the stale Kerberos ticket
  2. Wait for clients to refresh their Kerberos tickets. By default, this should be within a 10-hour timeframe
  3. Access the CIFS server via IP Address to avoid use of Kerberos and force NTLM authentication
  • Until an upgrade can be performed:
    • Disable scheduled password resets
    • Avoid using the 'vserver cifs password-reset -vserver <SVM_NAME>' command.

Additional Information

Scan to view the article on your device
CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support