Skip to main content
NetApp Knowledge Base

Domain controller disables SMB1 protocol and causes issues with NTLM authentication in clustered Data ONTAP

  1. Last updated
    Mar 8, 2023
  2. Save as PDF
Views:
7,200
Visibility:
Public
Votes:
0
Category:
clustered-data-ontap-8
Specialty:
nas
Last Updated:
3/8/2023, 10:33:38 AM

Applies to

  • ONTAP 9
  • Microsoft Server 2012 R2

Issue

  • NTLM authentication fails with INTERNAL_ERROR domain controller sending TCP resets in response to a SMB Negotiate Protocol Request.

Example: Packet trace excerpt captured from vserver/SVM to domain controller (DC)

1. SVM will send a negotiate protocol request to a DC with only SMB1 (Dialect: NT LM 0.12) as the advertised support:

No.       Time           Source                Destination           Protocol Length Stream index The RTT to ACK the segment was Info
12        0.036391000    10.251.198.234        10.251.198.218        SMB      121    0                                           Negotiate Protocol Request ...
    Negotiate Protocol Request (0x72)
         Word Count (WCT): 0
         Byte Count (BCC): 12
         Requested Dialects
             Dialect: NT LM 0.12
                 Buffer Format: Dialect (2)
                 Name: NT LM 0.12

2. The DC will immediately reset this TCP connection.

No.     Time           Source                Destination           Protocol Length Stream index The RTT to ACK the segment was Info
13      0.036489000    10.251.198.218        10.251.198.234        TCP      54     0            0.000098000         microsoft-ds > 18352 [RST, ACK] Seq=2520340104 Ack=3939036472 Win=0 Len=0

SECD logs might also fails with the error RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR error connecting to NETLOGON through NTLM

 

Example from ONTAP 9.1:

Failure Summary:
Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.61.35.36
  [  0 ms] Login attempt by domain user 'NETAPP\user1' using NTLMv2 style security
  [     1] Successfully connected to ip 10.216.29.40, port 445 using TCP
  [     1] Unable to connect to NetLogon service on omard-win2k16dc1.internaldomaina.local (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
  [     1] No servers available for MS_NETLOGON, vserver: 7, domain: internaldomaina.local.
**[     1] FAILURE: Unable to make a connection (NetLogon:INTERNALDOMAINA.LOCAL), result: 6940
  [     2] CIFS authentication failed

000.000.388]  debug:  NEGOTIATE REQUEST: SMB1 - Dialects we support: NT LM 0.12  { in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:198 }
[000.000.413]  debug:  CM_STATS:  Tracking connect() to server 10.216.29.40, port 445  { in startConnectTracking() at src/cm/secd_cm_stats_manager.cpp:863 }
[000.001.265]  info :  Successfully connected to ip 10.216.29.40, port 445 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:317 }
[000.001.630]  ERR  :  HandleBytesReturnedFromRecv: Failed to receive data on socket: Connection reset by peer  { in DisplayPerror() at src/Support/CustomErrors.cpp:56 }
[000.001.639]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in HandleBytesReturnedFromRecv() at src/FrameWork/Socket.cpp:796
[000.001.649]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ReceiveDataOnSocket() at src/FrameWork/Socket.cpp:911
[000.001.671]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in PerformSyncClientCmd() at src/FrameWork/ClientInfo.cpp:1707
[000.001.679]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in SendNegotiateRequest() at src/Commands/Negotiate.cpp:184
[000.001.687]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:247
[000.001.705]  ERR  :  Unable to connect or establish session (Error code = 6754)  { in DisplayError() at src/Support/CustomErrors.cpp:86 }
[000.001.712]  ERR  :  RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in connectToDomainController() at src/connection_manager/secd_connection.cpp:230
[000.001.719]  debug:  Failed to connect to DC win2k16dc1.internaldomaina.local  { in connectToDomainController() at src/connection_manager/secd_connection.cpp:257 }

  • SMB1 driver is running on the domain controller using the CLI:

C:UsersAdministrator>sc qc srv
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: srv
         TYPE               : 2  FILE_SYSTEM_DRIVER
         START_TYPE         : 2   AUTO_START  <<<<<< IF THIS IS DEMAND_START, then change it back to AUTO_START

         ERROR_CONTROL      : 1   NORMAL
         BINARY_PATH_NAME   : System32DRIVERSsrv.sys
         LOAD_ORDER_GROUP   : Network
         TAG                : 0
         DISPLAY_NAME       : Server SMB 1.xxx Driver
         DEPENDENCIES       : srv2
         SERVICE_START_NAME :

:UsersAdministrator>sc query srv

SERVICE_NAME: srv
         TYPE               : 2  FILE_SYSTEM_DRIVER
         STATE              : 4  RUNNING <<<<<< IF THIS IS STOPPED, then SMB1 DRIVER IS NOT RUNNING
                                 (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
         WIN32_EXIT_CODE    : 0  (0x0)
         SERVICE_EXIT_CODE  : 0  (0x0)
         CHECKPOINT         : 0x0
         WAIT_HINT          : 0x0

 

 

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.