Skip to main content

NetApp_Insight_2020.png 

NetApp Knowledgebase

Domain controller disables SMB1 protocol and causes issues with NTLM authentication in clustered Data ONTAP

Views:
524
Visibility:
Public
Votes:
0
Category:
data-ontap-8
Specialty:
cifs
Last Updated:

Applies to

  • OS: All current versions of clustered Data ONTAP
  • Microsoft Server 2012 R2

Issue

NTLM authentication fails with INTERNAL_ERROR domain controller sending TCP resets in response to a SMB Negotiate Protocol Request.

(Example of what is seen in a packet trace from Vserver to domain controller)

The Vserver will send a negotiate protocol request to a domain controller with only SMB1 (Dialect: NT LM 0.12) as the advertised support:

No.       Time           Source                Destination           Protocol Length Stream index The RTT to ACK the segment was Info
12        0.036391000    10.251.198.234        10.251.198.218        SMB      121    0                                           Negotiate Protocol Request ...
    Negotiate Protocol Request (0x72)
         Word Count (WCT): 0
         Byte Count (BCC): 12
         Requested Dialects
             Dialect: NT LM 0.12
                 Buffer Format: Dialect (2)
                 Name: NT LM 0.12

The domain controller will immediately reset this TCP connection.

No.     Time           Source                Destination           Protocol Length Stream index The RTT to ACK the segment was Info
13      0.036489000    10.251.198.218        10.251.198.234        TCP      54     0            0.000098000         microsoft-ds > 18352 [RST, ACK] Seq=2520340104 Ack=3939036472 Win=0 Len=0


SECD logs might also fails with the error RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR error connecting to NETLOGON through NTLM (example from 8.3):

Error: User authentication procedure failed
  [  0 ms] Login attempt by domain user 'CIFSTBS2012administrator' using NTLMv2 style security  
  [     0] No servers available for MS_NETLOGON, vserver: 3, domain: cifstbs2012.local.
  [    19] Entry for host-name: cifs-tbs-win12.cifstbs2012.local not
           found in the current source: FILES. Ignoring and trying next available source
  [    26] Entry found for host-name: cifs-tbs-win12.cifstbs2012.local using source: DNS
  [    26] Connecting to NetLogon server cifs-tbs-win12.cifstbs2012.local (10.251.198.218)
**[   120] FAILURE: Unable to connect to NetLogon service on
**         cifs-tbs-win12.cifstbs2012.local (Error:RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
  [   120] No servers available for MS_NETLOGON, vserver: 3, domain: cifstbs2012.local.

 

Example from 8.2:

  [ 51 ] Loaded the preliminary configuration.
  [ 112] Created a machine account in the domain
  [ 217] SID to name translations of Domain Users and Admins completed successfully
  [ 304] Kerberos password set for 'VSERVER$@COMPANY.DOMAIN.LOCAL' succeeded
  [ 304] Set initial account password
  [ 311] Connecting to NetLogon server dc01.company.domain.local (192.168.112.10)
  [ 315] Unable to connect to dc01.company.domain.local through the 192.168.112.3 interface
**[ 315] FAILURE: Unable to make a NetLogon connection to
**       dc01.company.domain.local using the new machine account
  [ 352] Deleted existing account 'CN=VSERVER,OU=Servers,DC=company,DC=domain DC=local'

Example from 9.1:

Failure Summary:
Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.61.35.36
  [  0 ms] Login attempt by domain user 'NETAPP\user1' using NTLMv2 style security
  [     1] Successfully connected to ip 10.216.29.40, port 445 using TCP
  [     1] Unable to connect to NetLogon service on omard-win2k16dc1.internaldomaina.local (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
  [     1] No servers available for MS_NETLOGON, vserver: 7, domain: internaldomaina.local.
**[     1] FAILURE: Unable to make a connection (NetLogon:INTERNALDOMAINA.LOCAL), result: 6940
  [     2] CIFS authentication failed

 

000.000.388]  debug:  NEGOTIATE REQUEST: SMB1 - Dialects we support: NT LM 0.12  { in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:198 }
[000.000.413]  debug:  CM_STATS:  Tracking connect() to server 10.216.29.40, port 445  { in startConnectTracking() at src/cm/secd_cm_stats_manager.cpp:863 }
[000.001.265]  info :  Successfully connected to ip 10.216.29.40, port 445 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:317 }
[000.001.630]  ERR  :  HandleBytesReturnedFromRecv: Failed to receive data on socket: Connection reset by peer  { in DisplayPerror() at src/Support/CustomErrors.cpp:56 }
[000.001.639]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in HandleBytesReturnedFromRecv() at src/FrameWork/Socket.cpp:796
[000.001.649]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ReceiveDataOnSocket() at src/FrameWork/Socket.cpp:911
[000.001.671]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in PerformSyncClientCmd() at src/FrameWork/ClientInfo.cpp:1707
[000.001.679]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in SendNegotiateRequest() at src/Commands/Negotiate.cpp:184
[000.001.687]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:247
[000.001.705]  ERR  :  Unable to connect or establish session (Error code = 6754)  { in DisplayError() at src/Support/CustomErrors.cpp:86 }
[000.001.712]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in connectToDomainController() at src/connection_manager/secd_connection.cpp:230
[000.001.719]  debug:  Failed to connect to DC win2k16dc1.internaldomaina.local  { in connectToDomainController() at src/connection_manager/secd_connection.cpp:257 }

 

If this is the case, verify if SMB1 driver is running on the domain controller using the CLI:

C:UsersAdministrator>sc qc srv
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: srv
         TYPE               : 2  FILE_SYSTEM_DRIVER
         START_TYPE         : 2   AUTO_START 
<<<<<< IF THIS IS DEMAND_START, then change it back to AUTO_START

         ERROR_CONTROL      : 1   NORMAL
         BINARY_PATH_NAME   : System32DRIVERSsrv.sys
         LOAD_ORDER_GROUP   : Network
         TAG                : 0
         DISPLAY_NAME       : Server SMB 1.xxx Driver
         DEPENDENCIES       : srv2
         SERVICE_START_NAME :

:UsersAdministrator>sc query srv

SERVICE_NAME: srv
         TYPE               : 2  FILE_SYSTEM_DRIVER
         STATE              : 4  RUNNING <<<<<< IF THIS IS STOPPED, then SMB1 DRIVER IS NOT RUNNING
                                 (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
         WIN32_EXIT_CODE    : 0  (0x0)
         SERVICE_EXIT_CODE  : 0  (0x0)
         CHECKPOINT         : 0x0
         WAIT_HINT          : 0x0

 

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support