CIFS access lost after enabling AES encryption on the SVM
Applies to
- ONTAP 9
- CIFS
- Advanced Encryption Standard (AES)
Issue
- After enabling
-is-aes-encryption-enabled
using commandcifs security modify
, CIFS access lost for the SVM - Any attempt to change the password of SVM's machine account will fail with below error:
ontap95::> vserver cifs password-change -vserver <SVM>
Error: command failed: Password update failed. Reason: Kerberos Error: Invalid credentials were given.
- Any attempt to disable
-is-aes-encryption-enabled
will fail with below error:
ontap95::> vserver cifs security modify -vserver <SVM> -is-aes-encryption-enabled false
Info: In order to disable CIFS AES encryption, the password for the CIFS server machine account must be reset. Enter the username and password for the CIFS domain "DOMAIN.LOCAL".
Enter your user ID: test123
Enter your password:
Error: command failed: Password update failed. Reason: SecD Error: no server available.
Secd log
will show the below failure
[kern_secd:info:12647] .------------------------------------------------------------------------------.
[kern_secd:info:12647] | RPC FAILURE: |
[kern_secd:info:12647] | secd_rpc_ad_change_password has failed |
[kern_secd:info:12647] | Result = 0, RPC Result = 7525 |
[kern_secd:info:12647] | RPC received at Tue Sep 8 17:58:24 2020 |
[kern_secd:info:12647] |------------------------------------------------------------------------------'
[kern_secd:info:12647] Failure Summary:
[kern_secd:info:12647] Error: CIFS server password change procedure failed
[kern_secd:info:12647] [ 1 ms] Successfully connected to ip 10.216.36.39, port 88 using TCP
[kern_secd:info:12647] [ 2] Successfully connected to ip 10.216.36.39, port 88 using TCP
[kern_secd:info:12647] **[ 5] FAILURE: CIFS server could not authenticate as 'CIFS95$@DOMAIN.LOCAL': CIFS server account password does not match password stored in Active Directory (KRB5KDC_ERR_PREAUTH_FAILED)