CIFS client access fails on ONTAP 9.2+ after CIFS password reset
Applies to
- ONTAP 9.2
- CIFS
Issue
- CIFS clients fail to authenticate to the CIFS server
- EMS errors (
secd.cifsAuth.problem
) report "KRB5KRB_AP_ERR_BAD_INTEGRITY
"
12/31/2018 14:12:31 cluster-01 ERROR secd.cifsAuth.problem: vserver (vserver) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.11.22.33
[ 2 ms] Error accepting security context for Vserver identifier (8). Decrypt integrity check failed (KRB5KRB_AP_ERR_BAD_INTEGRITY).
**[ 4] FAILURE: CIFS authentication failed
- Manual or Scheduled CIFS password reset
- Run the following command to check the last time the password was reset for the Vserver
cluster::> vserver cifs domain password schedule show -vserver <vserver>
Schedule Enabled: true <<<< Whether or not scheduled password reset is enabled
Schedule Interval: 4 week(s)
Schedule Randomized Within: 120 minute(s)
Schedule: Sun@01:00
Last Changed At: Mon Dec 31 15:23:41 2018 <<<< Last time password was changed either manually or via scheduled reset
Cause
- A change in ONTAP 9.2+ causes Sessions Setup Requests to receive a different response when the Kerberos ticket is no longer valid due to a password reset.
- Prior to 9.2, clients would receive
KRB_APP_ERR_MODIFIED
which would cause them to refresh their Kerberos ticket for the CIFS server. - In unfixed releases of 9.2 and later, clients will receive either
STATUS_SERVER_UNAVAILABLE (0xC0000466
) orSTATUS_UNSUCCESSFUL (0xC0000001)
as a response. - This response does not cause the client to refresh its Kerberos ticket.
- This will cause the client to repeatedly fail authentication until the Kerberos ticket is purged either via "
klist purge
", a client reboot, or waiting for the Kerberos ticket timeout (default 10 hours).
Solution
- Upgrade to a fixed release for Bug 1206384
- Workarounds
- On the impacted client, reboot, log off, or run
klist purge
to remove the stale Kerberos ticket - Wait for clients to refresh their Kerberos tickets. By default, this should be within a 10-hour timeframe
- Access the CIFS server via IP Address to avoid use of Kerberos and force NTLM authentication
- Until an upgrade can be performed:
- Disable scheduled password resets
- Avoid using the '
vserver cifs password-reset -vserver <SVM_NAME>
' command.
Additional Information
- Related Articles (document other known reasons why
KRB5KRB_AP_ERR_BAD_INTEGRITY
may be seen)