Domain controller disables SMB1 protocol and causes issues with NTLM authentication in clustered Data ONTAP
Applies to
- OS: All current versions of clustered Data ONTAP
- Microsoft Server 2012 R2
Issue
NTLM authentication fails with INTERNAL_ERROR
domain controller sending TCP resets in response to a SMB Negotiate Protocol Request.
(Example of what is seen in a packet trace from Vserver to domain controller)
The Vserver will send a negotiate protocol request to a domain controller with only SMB1 (Dialect: NT LM 0.12) as the advertised support:
No. Time Source Destination Protocol Length Stream index The RTT to ACK the segment was Info
12 0.036391000 10.251.198.234 10.251.198.218 SMB 121 0 Negotiate Protocol Request ...
Negotiate Protocol Request (0x72)
Word Count (WCT): 0
Byte Count (BCC): 12
Requested Dialects
Dialect: NT LM 0.12
Buffer Format: Dialect (2)
Name: NT LM 0.12
The domain controller will immediately reset this TCP connection.
No. Time Source Destination Protocol Length Stream index The RTT to ACK the segment was Info
13 0.036489000 10.251.198.218 10.251.198.234 TCP 54 0 0.000098000 microsoft-ds > 18352 [RST, ACK] Seq=2520340104 Ack=3939036472 Win=0 Len=0
SECD logs might also fails with the error RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR
error connecting to NETLOGON through NTLM (example from 8.3):
Error: User authentication procedure failed
[ 0 ms] Login attempt by domain user 'CIFSTBS2012administrator' using NTLMv2 style security
[ 0] No servers available for MS_NETLOGON, vserver: 3, domain: cifstbs2012.local.
[ 19] Entry for host-name: cifs-tbs-win12.cifstbs2012.local not
found in the current source: FILES. Ignoring and trying next available source
[ 26] Entry found for host-name: cifs-tbs-win12.cifstbs2012.local using source: DNS
[ 26] Connecting to NetLogon server cifs-tbs-win12.cifstbs2012.local (10.251.198.218)
**[ 120] FAILURE: Unable to connect to NetLogon service on
** cifs-tbs-win12.cifstbs2012.local (Error:RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 120] No servers available for MS_NETLOGON, vserver: 3, domain: cifstbs2012.local.
Example from 8.2:
[ 51 ] Loaded the preliminary configuration.
[ 112] Created a machine account in the domain
[ 217] SID to name translations of Domain Users and Admins completed successfully
[ 304] Kerberos password set for 'VSERVER$@COMPANY.DOMAIN.LOCAL' succeeded
[ 304] Set initial account password
[ 311] Connecting to NetLogon server dc01.company.domain.local (192.168.112.10)
[ 315] Unable to connect to dc01.company.domain.local through the 192.168.112.3 interface
**[ 315] FAILURE: Unable to make a NetLogon connection to
** dc01.company.domain.local using the new machine account
[ 352] Deleted existing account 'CN=VSERVER,OU=Servers,DC=company,DC=domain DC=local'
Example from 9.1:
Failure Summary:
Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.61.35.36
[ 0 ms] Login attempt by domain user 'NETAPP\user1' using NTLMv2 style security
[ 1] Successfully connected to ip 10.216.29.40, port 445 using TCP
[ 1] Unable to connect to NetLogon service on omard-win2k16dc1.internaldomaina.local (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 1] No servers available for MS_NETLOGON, vserver: 7, domain: internaldomaina.local.
**[ 1] FAILURE: Unable to make a connection (NetLogon:INTERNALDOMAINA.LOCAL), result: 6940
[ 2] CIFS authentication failed
000.000.388] debug: NEGOTIATE REQUEST: SMB1 - Dialects we support: NT LM 0.12 { in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:198 }
[000.000.413] debug: CM_STATS: Tracking connect() to server 10.216.29.40, port 445 { in startConnectTracking() at src/cm/secd_cm_stats_manager.cpp:863 }
[000.001.265] info : Successfully connected to ip 10.216.29.40, port 445 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:317 }
[000.001.630] ERR : HandleBytesReturnedFromRecv: Failed to receive data on socket: Connection reset by peer { in DisplayPerror() at src/Support/CustomErrors.cpp:56 }
[000.001.639] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in HandleBytesReturnedFromRecv() at src/FrameWork/Socket.cpp:796
[000.001.649] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ReceiveDataOnSocket() at src/FrameWork/Socket.cpp:911
[000.001.671] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in PerformSyncClientCmd() at src/FrameWork/ClientInfo.cpp:1707
[000.001.679] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in SendNegotiateRequest() at src/Commands/Negotiate.cpp:184
[000.001.687] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:247
[000.001.705] ERR : Unable to connect or establish session (Error code = 6754) { in DisplayError() at src/Support/CustomErrors.cpp:86 }
[000.001.712] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in connectToDomainController() at src/connection_manager/secd_connection.cpp:230
[000.001.719] debug: Failed to connect to DC win2k16dc1.internaldomaina.local { in connectToDomainController() at src/connection_manager/secd_connection.cpp:257 }
If this is the case, verify if SMB1 driver is running on the domain controller using the CLI:
C:UsersAdministrator>sc qc srv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: srv
TYPE : 2 FILE_SYSTEM_DRIVER
START_TYPE : 2 AUTO_START <<<<<< IF THIS IS DEMAND_START, then change it back to AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : System32DRIVERSsrv.sys
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : Server SMB 1.xxx Driver
DEPENDENCIES : srv2
SERVICE_START_NAME :
:UsersAdministrator>sc query srv
SERVICE_NAME: srv
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING <<<<<< IF THIS IS STOPPED, then SMB1 DRIVER IS NOT RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0