- Data ONTAP 7-Mode
Yes, when the filer(vfiler) attempts to pass NTLM authentication over NETLOGON, the domain controller once Enforcement Phase is set, will return Access Denied
What workarounds are available?
|8.2.5P3 and older versions||add 7-mode computer object to GPO||option not available, Netlogon is not utlizing secure channel|
|8.2.5P4 and 8.2.5P5||add 7-mode computer object to GPO||
- Add 7-mode computer object to GPO: "Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO).
- NOTE: For ONTAP 7-mode there is no patch planned to implement this new feature as 7-mode is under limited support.
- NOTE: For ONTAP 7-mode 8.2.5P4 or 8.2.5P5 versions, to utilize GPO workaround, you must run "options cifs.netlogon.secure_channel.enable off "
- By disabling the option above, you are reverting 7-mode to use nonsecure vulnerable Netlogon connections. This is the only method NetApp has seen that works with the formerly published GPO workaround "Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO)" .
- NOTE: As of April 20, 2023 Microsoft KB5021130 NO LONGER references the GPO as a workaround to Enforcement. As of April 11, 2023 patches, this workaround was still valid for 7-mode, however, we cannot guarantee it's validity with any other future publicly available hotfixes.
How ONTAP 7-mode will be impacted by CVE-2022-38023 once "RequireSeal:2" enforcement is set (if workarounds above are not set):
- When filer(vfiler) attempts to pass NTLM authentication information over NETLOGON, the patched domain controller will return Access Denied
- ONTAP will report in EMS messages errors like: (this will only be seen if "options cifs.trace_login on" is enabled)
auth.dc.trace.DCConnection.errorMsg:error]: AUTH: Domain Controller error: NetLogon error 0xc0000022: - Filer's security information differs from domain controller \\DC1.
How ONTAP 7-mode will be impacted by CVE-2022-38023 once "RequireSeal:2" enforcement is set (if workarounds above are no longer valid):
- Clients must ensure only Kerberos authentication is being used in their environment.
- How does an SMB client identify which authentication style to use?
- ONTAP Requirements for CIFS Kerberos
- This other KB has helpful hints on how to troubleshoot this issue: Microsoft Security Advisory CVE-2020-1472 impact on NetApp appliance running CIFS or NFS utilizing Netlogon servers
- after running "options cifs.netlogon.secure_channel.enable off ", Switching between modes (enabled/disabled) requires that a
cifs resetdccommand (if using vfilers, run
vfiler run <vfiler> cifs resetdc) be run to disconnect any current connections to DCs and reconnect to a DC in the new mode.