What's the impact of using 'SYSTEM' authentication of a service when accessing SMB Shares

Applies to

• ONTAP 9
• Windows Services

Answer

Preface

• When a service uses SYSTEM, authentication is presented to the SMB server as the machine account user.  
• The Windows OS determines if its possible to use Kerberos or if it must use NTLM to authenticate
• ONTAP allows machine accounts to authenticate via NTLM & Kerberos (differing from 7-mode where kerberos was required)

Impact

• If the account uses NTLM then each cifs session will require the SMB server to reach out to the domain controller (DC) to validate the credentials passed
  • This service is called RPC_NETLOGON, ONTAP will open a connection to the DC to pass the creds via netlogon
• If the cifs session is not reused, each file operation will open a new cifs session and require credential validation via the DC
  • A service that reads {x} files will cause {x} password validations from the SMB server to the DC (very taxing)
• This issue compounds exponentially when the DC begins to slow down from the excess validation, resulting in SECD failures.

Additional Information

• How can I check in ONTAP if an external service such as netlogon, ldap-ad, lsa, ldap-nis-namemap, or nis is responding slowly?