Skip to main content
NetApp Knowledgebase

SVM fails to connect to DC when SMB3 Encryption is enabled on DC

Views:
226
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

Applies to

  •   ONTAP 9

Issue

  • SVM fails to connect to DC when SMB3 encryption is enabled on DC. 
  • Status of the DC shows "unavailable"  
::*> vserver cifs domain discovered-servers show
Node: CDOT-01
Vserver: test
 
Domain Name     Type     Preference DC-Name         DC-Address      Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local    KERBEROS favored    rodc            10.216.41.192   undetermined
naslab.local    KERBEROS preferred  win-aesid9bf636 10.216.41.191   undetermined
naslab.local    KERBEROS preferred  win-m2fcklun4l2 10.216.41.190   undetermined
naslab.local    MS-LDAP  favored    RODC            10.216.41.192   undetermined
naslab.local    MS-LDAP  preferred  win-aesid9bf636 10.216.41.191   undetermined
naslab.local    MS-LDAP  preferred  win-m2fcklun4l2 10.216.41.190   undetermined
naslab.local    MS-DC    favored    rodc            10.216.41.192   undetermined
naslab.local    MS-DC    preferred  win-aesid9bf636 10.216.41.191   OK
naslab.local    MS-DC    preferred  win-m2fcklun4l2 10.216.41.190   unavailable   <<<<<<<<<< SVM fails to connect.
 
  • With SECD tracing enabled SECD logs shows that DC failed the session setup request from SVM with "Access denied"( NT error 0xc0000022)
 
00000009.00144add 0aac4c3c Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.556.907]  info :  Successfully connected to ip 10.216.41.190, port 445 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:317 }
00000009.00144ade 0aac4c3c Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.558.049]  debug:  NEGOTIATE RESPONSE: DC selected SMB2/3 dialect 0x210  { in Smb2ParseNegotiateResponse() at src/Smb2/Smb2Negotiate.cpp:211 }
00000009.00144adf 0aac4c3c Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.558.055]  debug:  SIGNING: DC REQUIRES signing  { in Smb2ParseNegotiateResponse() at src/Smb2/Smb2Negotiate.cpp:216 }
00000009.00144ae4 0aac4c3c Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.560.847]  info :  [krb5 context 10EEC600] Creating authenticator for TEST123$@NASLAB.LOCAL -> cifs/win-m2fcklun4l2.naslab.local@, seqnum 62567361, subkey aes256-cts/3FC8, session key aes256-cts/32F1
00000009.00144ae5 0aac4c3c Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.565.821]  ERR  :  Encountered NT error (NT_STATUS_ACCESS_DENIED) for SMB command SessionSetup  { in LogNtStatusCode() at src/Commands/Commands.cpp:448 }
00000009.00144ae6 0aac4c3c Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.565.834]  ERR  :  SMB2 response has NT error 0xc0000022  { in ParseSmb2HeaderResponse() at src/Smb2/Smb2Utils.cpp:313 }
00000009.00144ae7 0aac4c3c Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.565.847]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in Smb2ParseSessionSetupResponse() at src/Smb2/Smb2SessionSetup.cpp:184
00000009.00144ae8 0aac4c3f Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.565.854]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in Smb2SessionSetup() at src/Smb2/Smb2SessionSetup.cpp:275
00000009.00144ae9 0aac4c3f Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.565.861]  ERR  :  RESULT_ERROR_GENERAL_FAILURE:3 in LogOnUserExtBody() at src/Actions/ActionsONTAP.cpp:2468
00000009.00144aea 0aac4c3f Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.567.323]  ERR  :  RESULT_ERROR_SECD_NO_CONNECTIONS_AVAILABLE:6942 in connectToDomainController() at src/connection_manager/secd_connection.cpp:246
00000009.00144aeb 0aac4c3f Tue Apr 14 2020 15:46:28 +05:30 [kern_secd:info:8039] | [001.567.333]  debug:  Connected but failed to authenticate with DC win-m2fcklun4l2.naslab.local  { in connectToDomainController() at src/connection_manager/secd_connection.cpp:262 }
 
  • DC has SMB3 encryption enabled
 
PS C:\Users\Administrator.NASLAB> Get-SmbServerConfiguration |findstr "EncryptData"
EncryptData                     : True

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support