CIFS access denied errors in ONTAP 9 after enabling SMB encryption
Applies to
- CIFS/SMB
- ONTAP 9
- Linux/Unix
- Windows
Issue
- After enabling
-is-smb-encryption-required
CIFS security option, some clients are no longer able to access CIFS shares and seeing access denied errors - The issue impacts clients running Windows versions earlier than 8, Server 2012, RHEL version below 7.5, while newer clients are still able to access shares
- The issue impacts shares that have CIFS share property
encrypt-data
applied as well. - In a packet trace, we see
STATUS_ACCESS_DENIED
being returned to Session Setup or Tree Connect requests - EMS may report
Nblade.cifsEncSessAccessDenied or
Nblade.cifsEncShrAccessDenied
- When the issue is captured in a security trace this will contain the reason for the access being denied
example
::> vserver security trace trace-result show
Vserver: svm1
Node Index Filter Details Reason
--------------- ----- -------------------------- -----------------------------------------------------------------
node1 1 Security Style: - Session Setup failed, client does not have encryption capability.