Skip to main content
NetApp Knowledge Base

Search

  • Filter results by:
    • View attachments
    Searching in
    About 9 results
    • Is it possible to see the Kerberos ticket encryption type for connected clients?
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Is_it_possible_to_see_the_Kerberos_ticket_encryption_type_for_connected_clients
      Applies to ONTAP 9 CIFS No, it's not possible to view the Kerberos ticket's encryption type for a connected CIFS client after the ticket has been decrypted during the session setup. To see what encryp...Applies to ONTAP 9 CIFS No, it's not possible to view the Kerberos ticket's encryption type for a connected CIFS client after the ticket has been decrypted during the session setup. To see what encryption type is used for a ticket when the client submits the ticket to ONTAP, consider capturing a packet trace between the client and ONTAP To see what encryption types the client advertises to the DC when initially obtaining the ticket, consider capturing a packet trace between the client and the DC
    • Accessing a CIFS server via hostname fails with the error: Key table entry not found (KRB5_KT_NOTFOUND)
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Accessing_a_CIFS_server_via_name_fails_with_the_error__Key_table_entry_not_found_KRB5_KT_NOTFOUND
      Key table entry not found (KRB5_KT_NOTFOUND). **[ 7] FAILURE: CIFS authentication failed 00000015.0056f643 01e038b1 Mon Jan 14 2019 00:29:31 +05:30 [kern_secd:info:7104] | [000.004.281] info : [krb5 c...Key table entry not found (KRB5_KT_NOTFOUND). **[ 7] FAILURE: CIFS authentication failed 00000015.0056f643 01e038b1 Mon Jan 14 2019 00:29:31 +05:30 [kern_secd:info:7104] | [000.004.281] info : [krb5 context 09658600] Retrieving cifs/SVM1@testlab.com from SPINKT:kt:C:4 (vno 3, enctype aes256-cts) with result: -1765328203/Key table entry not found
    • Admins cannot login to Admin SVM with AD account
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Admins_cannot_login_to_Admin_SVM_with_AD_account
      Applies to ONTAP 9 Active Directory (AD) Domain Tunnel Advanced Encryption Standard (AES) Issue Fail to connect to the Admin cluster using AD account Vserver is configured as tunnel for AD Access to t...Applies to ONTAP 9 Active Directory (AD) Domain Tunnel Advanced Encryption Standard (AES) Issue Fail to connect to the Admin cluster using AD account Vserver is configured as tunnel for AD Access to the cluster AES is configured on the AD for the secure netlogon
    • Can RC4 encryption for Kerberos-based communication be disabled?
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Can_RC4_encryption_for_Kerberos-based_communication_be_disabled
      In 9.11 and below, you cannot disable RC4 encryption for Kerberos-based communication Even when AES encryption for Kerberos-based communication is enabled on a vserver, advertising the RC4 encryption ...In 9.11 and below, you cannot disable RC4 encryption for Kerberos-based communication Even when AES encryption for Kerberos-based communication is enabled on a vserver, advertising the RC4 encryption type cannot be disabled The strongest encryption type is selected by the DC that provides the Kerberos ticket if multiple are available Configuring strong security for Kerberos-based communication by using AES encryption Enable or disable AES encryption for Kerberos-based communication
    • NTLM-authenticated CIFS session setup failure due to AES for secure channel disabled
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/NTLM-authenticated_CIFS_session_setup_failure_due_to_AES_for_secure_channel_disabled
      Applies to ONTAP 9 NTLM authentication DCs require AES encryption for Netlogon RPC sealing (may also apply to environments only requiring RPC signing) Issue Despite using a version of ONTAP supporting...Applies to ONTAP 9 NTLM authentication DCs require AES encryption for Netlogon RPC sealing (may also apply to environments only requiring RPC signing) Issue Despite using a version of ONTAP supporting RPC sealing for Netlogon RPC traffic, Netlogon may fail due to the DCs requiring strong (AES) encryption
    • Enabling AES after applying patch for CVE-2021-42287 results in lost access to CIFS
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Enabling_AES_after_applying_patch_for_CVE-2021-42287_results_in_lost_access_to_CIFS
      Access to CIFS is lost after enabling AES. It is found that Active Directory does not update password properly even though ONTAP will reflect the changes This results in a password mis-match that caus...Access to CIFS is lost after enabling AES. It is found that Active Directory does not update password properly even though ONTAP will reflect the changes This results in a password mis-match that causes authentication to fail when the CIFS password is reset after enabling AES.
    • CIFS share inaccessible after enabling AES encryption on the SVM
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/CIFS_share_inaccessible_after_enabling_AES_encryption_on_the_SVM
      CIFS share is inaccessible after enabling AES encryption for Kerberos-based communication by the below command ::> cifs server security modify -vserver <svm> -is-aes-encryption-enabled true AES-256 an...CIFS share is inaccessible after enabling AES encryption for Kerberos-based communication by the below command ::> cifs server security modify -vserver <svm> -is-aes-encryption-enabled true AES-256 and AES-128 encryption types are not reflected in the CIFS server computer account msDS-SupportedEncryptionTypes properties [node-01: secd: secd.kerberos.preauth:error]: Kerberos pre-authentication failure due to out-of-sync machine account password for vserver (SVM1).
    • SVMs cannot access any of the configured AD LDAP servers
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/SVMs_cannot_access_any_of_the_configured_AD_LDAP_servers
      SVMs cannot access any of the configured LDAP servers (Active Directory LDAP) Mon Apr 05 20:05:36 +0300 [NODE-01: secd: secd.ldap.noServers:EMERGENCY]: None of the LDAP servers configured for Vserver ...SVMs cannot access any of the configured LDAP servers (Active Directory LDAP) Mon Apr 05 20:05:36 +0300 [NODE-01: secd: secd.ldap.noServers:EMERGENCY]: None of the LDAP servers configured for Vserver (SVM01) are currently accessible via the network for LDAP service type (Service: LDAP (Active Directory), Operation: SiteDiscovery).
    • Unable to login to filer using CBC based Ciphers for SSH after upgrade to 8.2.5P5
      https://kb.netapp.com/Legacy/ONTAP/7Mode/Unable_to_login_to_filer_using_CBC_based_Ciphers_for_SSH_after_upgrade_to_8.2.5P5
      Applies to Data ONTAP 7-Mode 8.2.5P5 Any attempt to login to filer via SSH using CBC based ciphers failed with below error: -bash-4.2$ pbrun ssh -oKexAlgorithms=diffie-hellman-group14-sha1 -c 3des-cbc...Applies to Data ONTAP 7-Mode 8.2.5P5 Any attempt to login to filer via SSH using CBC based ciphers failed with below error: -bash-4.2$ pbrun ssh -oKexAlgorithms=diffie-hellman-group14-sha1 -c 3des-cbc root@filer01 Unable to negotiate with 10.10.10.xx port 22: no matching cipher found. Login attempt to same filer using different cipher is successful -bash-4.2$ pbrun ssh -oKexAlgorithms=diffie-hellman-group14-sha1 -c aes128-ctr root@filer-01