ドメインコントローラは SMB1 プロトコルを無効にし、 clustered Data ONTAP で NTLM 認証の問題を発生させます
のしんだ
環境
- ONTAP 9
- Microsoft Server 2012 R2
問題
INTERNAL_ERRORSMB Negotiate Protocol要求に応答してドメインコントローラがTCPリセットを送信すると、NTLM認証が失敗します。
例: SVM / SVMからドメインコントローラ(DC)へのパケットトレースの抜粋
1. SVMは、通知されたサポートとしてSMB1(Dialect:NT LM 0.12)のみを使用するDCにネゴシエートプロトコル要求を送信します。
No. Time Source Destination Protocol Length Stream index The RTT to ACK the segment was Info
12 0.036391000 10.251.198.234 10.251.198.218 SMB 121 0 Negotiate Protocol Request ...
Negotiate Protocol Request (0x72)
Word Count (WCT): 0
Byte Count (BCC): 12
Requested Dialects
Dialect: NT LM 0.12
Buffer Format: Dialect (2)
Name: NT LM 0.12
2. DCはすぐ にこのTCP接続をリセットします。
No. Time Source Destination Protocol Length Stream index The RTT to ACK the segment was Info
13 0.036489000 10.251.198.218 10.251.198.234 TCP 54 0 0.000098000 microsoft-ds > 18352 [RST, ACK] Seq=2520340104 Ack=3939036472 Win=0 Len=0
SecDのログも失敗し、 RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR 「Connecting to NETLOGON through NTLM」というエラーが表示されることがあります
ONTAP 9.1の例:
Failure Summary:
Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.61.35.36
[ 0 ms] Login attempt by domain user 'NETAPP\user1' using NTLMv2 style security
[ 1] Successfully connected to ip 10.216.29.40, port 445 using TCP
[ 1] Unable to connect to NetLogon service on omard-win2k16dc1.internaldomaina.local (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 1] No servers available for MS_NETLOGON, vserver: 7, domain: internaldomaina.local.
**[ 1] FAILURE: Unable to make a connection (NetLogon:INTERNALDOMAINA.LOCAL), result: 6940
[ 2] CIFS authentication failed
000.000.388] debug: NEGOTIATE REQUEST: SMB1 - Dialects we support: NT LM 0.12 { in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:198 }
[000.000.413] debug: CM_STATS: Tracking connect() to server 10.216.29.40, port 445 { in startConnectTracking() at src/cm/secd_cm_stats_manager.cpp:863 }
[000.001.265] info : Successfully connected to ip 10.216.29.40, port 445 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:317 }
[000.001.630] ERR : HandleBytesReturnedFromRecv: Failed to receive data on socket: Connection reset by peer { in DisplayPerror() at src/Support/CustomErrors.cpp:56 }
[000.001.639] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in HandleBytesReturnedFromRecv() at src/FrameWork/Socket.cpp:796
[000.001.649] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ReceiveDataOnSocket() at src/FrameWork/Socket.cpp:911
[000.001.671] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in PerformSyncClientCmd() at src/FrameWork/ClientInfo.cpp:1707
[000.001.679] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in SendNegotiateRequest() at src/Commands/Negotiate.cpp:184
[000.001.687] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:247
[000.001.705] ERR : Unable to connect or establish session (Error code = 6754) { in DisplayError() at src/Support/CustomErrors.cpp:86 }
[000.001.712] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in connectToDomainController() at src/connection_manager/secd_connection.cpp:230
[000.001.719] debug: Failed to connect to DC win2k16dc1.internaldomaina.local { in connectToDomainController() at src/connection_manager/secd_connection.cpp:257 }
- SMB1ドライバは、ドメインコントローラでCLIを使用して実行されています。
C:UsersAdministrator>sc qc srv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: srv
TYPE : 2 FILE_SYSTEM_DRIVER
START_TYPE : 2 AUTO_START <<<<<< IF THIS IS DEMAND_START, then change it back to AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : System32DRIVERSsrv.sys
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : Server SMB 1.xxx Driver
DEPENDENCIES : srv2
SERVICE_START_NAME :
:UsersAdministrator>sc query srv
SERVICE_NAME: srv
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING <<<<<< IF THIS IS STOPPED, then SMB1 DRIVER IS NOT RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0