Domain controller disables SMB1 protocol and causes issues with NTLM authentication in clustered Data ONTAP

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 3,863

Visibility:: Public

Votes:: 0

Category:: clustered-data-ontap-8

Specialty:: cifs

Last Updated:

Applies to

OS: All current versions of clustered Data ONTAP
Microsoft Server 2012 R2

Issue

NTLM authentication fails with INTERNAL_ERROR domain controller sending TCP resets in response to a SMB Negotiate Protocol Request.

(Example of what is seen in a packet trace from Vserver to domain controller)

The Vserver will send a negotiate protocol request to a domain controller with only SMB1 (Dialect: NT LM 0.12) as the advertised support:

No. Time Source Destination Protocol Length Stream index The RTT to ACK the segment was Info 12 0.036391000 10.251.198.234 10.251.198.218 SMB 121 0 Negotiate Protocol Request ... Negotiate Protocol Request (0x72) Word Count (WCT): 0 Byte Count (BCC): 12 Requested Dialects Dialect: NT LM 0.12 Buffer Format: Dialect (2) Name: NT LM 0.12

The domain controller will immediately reset this TCP connection.

No. Time Source Destination Protocol Length Stream index The RTT to ACK the segment was Info 13 0.036489000 10.251.198.218 10.251.198.234 TCP 54 0 0.000098000 microsoft-ds > 18352 [RST, ACK] Seq=2520340104 Ack=3939036472 Win=0 Len=0

SECD logs might also fails with the error RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR error connecting to NETLOGON through NTLM (example from 8.3):

Error: User authentication procedure failed [ 0 ms] Login attempt by domain user 'CIFSTBS2012administrator' using NTLMv2 style security [ 0] No servers available for MS_NETLOGON, vserver: 3, domain: cifstbs2012.local. [ 19] Entry for host-name: cifs-tbs-win12.cifstbs2012.local not found in the current source: FILES. Ignoring and trying next available source [ 26] Entry found for host-name: cifs-tbs-win12.cifstbs2012.local using source: DNS [ 26] Connecting to NetLogon server cifs-tbs-win12.cifstbs2012.local (10.251.198.218) **[ 120] FAILURE: Unable to connect to NetLogon service on ** cifs-tbs-win12.cifstbs2012.local (Error:RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR) [ 120] No servers available for MS_NETLOGON, vserver: 3, domain: cifstbs2012.local.

Example from 8.2:

[ 51 ] Loaded the preliminary configuration. [ 112] Created a machine account in the domain [ 217] SID to name translations of Domain Users and Admins completed successfully [ 304] Kerberos password set for 'VSERVER$@COMPANY.DOMAIN.LOCAL' succeeded [ 304] Set initial account password [ 311] Connecting to NetLogon server dc01.company.domain.local (192.168.112.10) [ 315] Unable to connect to dc01.company.domain.local through the 192.168.112.3 interface **[ 315] FAILURE: Unable to make a NetLogon connection to ** dc01.company.domain.local using the new machine account [ 352] Deleted existing account 'CN=VSERVER,OU=Servers,DC=company,DC=domain DC=local'

Example from 9.1:

Failure Summary: Error: User authentication procedure failed CIFS SMB2 Share mapping - Client Ip = 10.61.35.36 [ 0 ms] Login attempt by domain user 'NETAPP\user1' using NTLMv2 style security [ 1] Successfully connected to ip 10.216.29.40, port 445 using TCP [ 1] Unable to connect to NetLogon service on omard-win2k16dc1.internaldomaina.local (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR) [ 1] No servers available for MS_NETLOGON, vserver: 7, domain: internaldomaina.local. **[ 1] FAILURE: Unable to make a connection (NetLogon:INTERNALDOMAINA.LOCAL), result: 6940 [ 2] CIFS authentication failed

000.000.388] debug: NEGOTIATE REQUEST: SMB1 - Dialects we support: NT LM 0.12 { in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:198 } [000.000.413] debug: CM_STATS: Tracking connect() to server 10.216.29.40, port 445 { in startConnectTracking() at src/cm/secd_cm_stats_manager.cpp:863 } [000.001.265] info : Successfully connected to ip 10.216.29.40, port 445 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:317 } [000.001.630] ERR : HandleBytesReturnedFromRecv: Failed to receive data on socket: Connection reset by peer { in DisplayPerror() at src/Support/CustomErrors.cpp:56 } [000.001.639] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in HandleBytesReturnedFromRecv() at src/FrameWork/Socket.cpp:796 [000.001.649] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ReceiveDataOnSocket() at src/FrameWork/Socket.cpp:911 [000.001.671] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in PerformSyncClientCmd() at src/FrameWork/ClientInfo.cpp:1707 [000.001.679] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in SendNegotiateRequest() at src/Commands/Negotiate.cpp:184 [000.001.687] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:247 [000.001.705] ERR : Unable to connect or establish session (Error code = 6754) { in DisplayError() at src/Support/CustomErrors.cpp:86 } [000.001.712] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in connectToDomainController() at src/connection_manager/secd_connection.cpp:230 [000.001.719] debug: Failed to connect to DC win2k16dc1.internaldomaina.local { in connectToDomainController() at src/connection_manager/secd_connection.cpp:257 }

If this is the case, verify if SMB1 driver is running on the domain controller using the CLI:

C:UsersAdministrator>sc qc srv [SC] QueryServiceConfig SUCCESS SERVICE_NAME: srv TYPE : 2 FILE_SYSTEM_DRIVER START_TYPE : 2 AUTO_START <<<<<< IF THIS IS DEMAND_START, then change it back to AUTO_START

ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : System32DRIVERSsrv.sys LOAD_ORDER_GROUP : Network TAG : 0 DISPLAY_NAME : Server SMB 1.xxx Driver DEPENDENCIES : srv2 SERVICE_START_NAME :

:UsersAdministrator>sc query srv SERVICE_NAME: srv TYPE : 2 FILE_SYSTEM_DRIVER STATE : 4 RUNNING <<<<<< IF THIS IS STOPPED, then SMB1 DRIVER IS NOT RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0