Skip to main content
NetApp Knowledge Base

How to identify users accessing the CIFS server authenticating with NTLMv2 when only Kerberos is allowed

  1. Last updated
  2. Save as PDF
Views:
205
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • CIFS

Description

  • When only Kerberos is allowed by CIFS security settings for SMB authentication, some users may still try NTLM

::> cifs security show -vserver svm1

Vserver: svm1

                            Kerberos Clock Skew:                   5 minutes
                            Kerberos Ticket Age:                  10 hours
                           Kerberos Renewal Age:                   7 days
                           Kerberos KDC Timeout:                   3 seconds
                            Is Signing Required:               false
                Is Password Complexity Required:                true
           Use start_tls for AD LDAP connection:               false
         (DEPRECATED)-Is AES Encryption Enabled:                true
                         LM Compatibility Level:                 krb
                     Is SMB Encryption Required:               false
                        Client Session Security:                none
   (DEPRECATED)-SMB1 Enabled for DC Connections:               false
                SMB2 Enabled for DC Connections:      system-default
  LDAP Referral Enabled For AD LDAP connections:               false
               Use LDAPS for AD LDAP connection:               false
      Encryption is required for DC Connections:               false
   AES session key enabled for NetLogon channel:                true
    Try Channel Binding For AD LDAP Connections:                true
        Encryption Types Advertised to Kerberos:
                                          aes-256, aes-128, rc4, des
 

  • NTLM will not be allowed in this case and EMS will log an error containing the IP address of the client but not the username
secd.cifsAuth.denied:error]: vserver (svm1) Cannot authenticate CIFS user. Error: User authentication procedure failed CIFS SMB2 Share mapping - Client Ip = 10.11.12.123   [  0 ms] LM Compatibility level set to krb disallowed NTLMv2 authentication **[     0] FAILURE: CIFS authentication failed 
 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.