Unable to access CIFS shares with hostname due to time difference between ONTAP and DC

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 6,595

Visibility:: Public

Votes:: 2

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9
CIFS/SMB
Kerberos
Linux clients
Windows clients

Issue

Unable to access CIFS shares with hostname or FQDN
- CIFS shares disconnecting frequently, volume becomes inaccessible
- On Linux systems, commands (e.g. df) may fail with Input/output Error
- Unable to map SMB (via UNIX/Linux client with Samba) share with hostname

Example:

\\server1 is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

Windows error: Windows can't access this disc. The disc might be corrupt. Make sure that the disc uses a format that Windows recognizes. If the disc is unformatted, you need to format it before using it.
EMS log raises the following secd: secd.lsa.noServers:EMERGENCY error:

Thu Oct 30 02:24:34 +0900 [cluster-1-01: secd: secd.lsa.noServers:EMERGENCY]: None of the LSA servers configured for Vserver (svm_1) are currently accessible via the network.

List of discovered domain controllers is empty in the SVM settings/domain tab
AutoSupport (ASUP) section NTPDC-PEER indicates clock skew:

Example:

remote local st poll reach delay offset disp
=======================================================================
=169.254.220.102 169.254.128.127 13 64 377 0.00005 +0.000305 0.03099
=10.1.1.100 10.1.1.36 2 64 377 0.00038 -309.2772 0.03073

ONTAP attempts to authenticate using Kerberos by default.

SECD and/or EMS log:

Example:

Mon Jan 01 18:00:30 -0700 [CLUSTER-XX: secd: secd.cifsAuth.problem:error]: vserver (SVM1) General CIFS authentication problem. Error: User authentication procedure failed CIFS SMB2 Share mapping - Client Ip = 10.11.XX.XX

[ 0 ms] Login attempt by domain user 'Domain\user' using NTLMv2 style security [ 0] Successfully connected to ip 10.1.XX.XX, port 445 using TCP [ 3] Encountered NT error (NT_STATUS_MORE_PROCESSING_REQUIRED) for SMB command SessionSetup [ 3] Cluster, Domain Controller or Client time differs by more than the configured clock skew with respect to the others (KRB5KRB_AP_ERR_SKEW) [ 3] Kerberos authentication failed with result: 7537. [ 4] Unable to connect to NetLogon service on dc01.domain.com (Error: RESULT_ERROR_SECD_NO_CONNECTIONS_AVAILABLE) [ 4] Successfully connected to ip 10.1.XX.XX, port 445 using TCP [ 7] Encountered NT error (NT_STATUS_MORE_PROCESSING_REQUIRED) for SMB command SessionSetup [ 7] Cluster, Domain Controller or Client time differs by more than the configured clock skew with respect to the others (KRB5KRB_AP_ERR_SKEW) [ 7] Kerberos authentication failed with result: 7537. [ 7] Unable to connect to NetLogon service on dc02.domain.com (Error: RESULT_ERROR_SECD_NO_CONNECTIONS_AVAILABLE) [ 7] No servers available for MS_NETLOGON, vserver: 3, domain: domain.com. [ 7] FAILURE: Unable to make a connection (NetLogon:DOMAIN.COM), Result: RESULT_ERROR_SECD_NO_SERVER_AVAILABLE [ 8] CIFS authentication failed

Windows can't access this disk:

Note: Windows can't access this disc. The disc might be corrupt. Make sure that the disc uses a format that Windows recognizes. If the disc is unformatted, you need to format it before using it.