What's the impact of using 'SYSTEM' authentication of a service when accessing SMB Shares
Applies to
- ONTAP 9
- Windows Services
Answer
Preface
- When a service uses SYSTEM, authentication is presented to the SMB server as the machine account user.
- The Windows OS determines if its possible to use Kerberos or if it must use NTLM to authenticate
- ONTAP allows machine accounts to authenticate via NTLM & Kerberos (differing from 7-mode where kerberos was required)
Impact
- If the account uses NTLM then each cifs session will require the SMB server to reach out to the domain controller (DC) to validate the credentials passed
- This service is called RPC_NETLOGON, ONTAP will open a connection to the DC to pass the creds via netlogon
- If the cifs session is not reused, each file operation will open a new cifs session and require credential validation via the DC
- A service that reads {x} files will cause {x} password validations from the SMB server to the DC (very taxing)
- This issue compounds exponentially when the DC begins to slow down from the excess validation, resulting in SECD failures.