域控制器禁用 SMB 1 协议并在集群模式 Data ONTAP 中导致 NTLM 身份验证出现问题

最后更新
另存为PDF

Views:: 37

Visibility:: Public

Votes:: 0

Category:: clustered-data-ontap-8

Specialty:: nas

Last Updated:

状态信息

适用场景

ONTAP 9
Microsoft Server 2012 R2

问题描述

NTLM身份验证失败、 INTERNAL_ERROR 域控制器会发送TCP重置以响应SMB协商协议请求。

示例： 从Vserver/SVM到域控制器(DC)的数据包跟踪摘录

1. SVM将向DC发送协商协议请求、但仅使用SMB1 (方言：NT LM 0.12)作为公布的支持：

No. Time Source Destination Protocol Length Stream index The RTT to ACK the segment was Info 12 0.036391000 10.251.198.234 10.251.198.218 SMB 121 0 Negotiate Protocol Request ... Negotiate Protocol Request (0x72) Word Count (WCT): 0 Byte Count (BCC): 12 Requested Dialects Dialect: NT LM 0.12 Buffer Format: Dialect (2) Name: NT LM 0.12

2. DC将立即重置此TCP连接。

No. Time Source Destination Protocol Length Stream index The RTT to ACK the segment was Info 13 0.036489000 10.251.198.218 10.251.198.234 TCP 54 0 0.000098000 microsoft-ds > 18352 [RST, ACK] Seq=2520340104 Ack=3939036472 Win=0 Len=0

SECD日志可能也会失败、并显示错误 RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR ：Connecting to NETLOGON through NTLM

ONTAP 9.1中的示例：

Failure Summary: Error: User authentication procedure failed CIFS SMB2 Share mapping - Client Ip = 10.61.35.36 [ 0 ms] Login attempt by domain user 'NETAPP\user1' using NTLMv2 style security [ 1] Successfully connected to ip 10.216.29.40, port 445 using TCP [ 1] Unable to connect to NetLogon service on omard-win2k16dc1.internaldomaina.local (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR) [ 1] No servers available for MS_NETLOGON, vserver: 7, domain: internaldomaina.local. **[ 1] FAILURE: Unable to make a connection (NetLogon:INTERNALDOMAINA.LOCAL), result: 6940 [ 2] CIFS authentication failed

000.000.388] debug: NEGOTIATE REQUEST: SMB1 - Dialects we support: NT LM 0.12 { in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:198 } [000.000.413] debug: CM_STATS: Tracking connect() to server 10.216.29.40, port 445 { in startConnectTracking() at src/cm/secd_cm_stats_manager.cpp:863 } [000.001.265] info : Successfully connected to ip 10.216.29.40, port 445 using TCP { in _connect() at src/connection_manager/secd_connection_shim.cpp:317 } [000.001.630] ERR : HandleBytesReturnedFromRecv: Failed to receive data on socket: Connection reset by peer { in DisplayPerror() at src/Support/CustomErrors.cpp:56 } [000.001.639] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in HandleBytesReturnedFromRecv() at src/FrameWork/Socket.cpp:796 [000.001.649] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ReceiveDataOnSocket() at src/FrameWork/Socket.cpp:911 [000.001.671] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in PerformSyncClientCmd() at src/FrameWork/ClientInfo.cpp:1707 [000.001.679] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in SendNegotiateRequest() at src/Commands/Negotiate.cpp:184 [000.001.687] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in ConnectToCifsServer() at src/Actions/ActionsONTAP.cpp:247 [000.001.705] ERR : Unable to connect or establish session (Error code = 6754) { in DisplayError() at src/Support/CustomErrors.cpp:86 } [000.001.712] ERR : RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR:6754 in connectToDomainController() at src/connection_manager/secd_connection.cpp:230 [000.001.719] debug: Failed to connect to DC win2k16dc1.internaldomaina.local { in connectToDomainController() at src/connection_manager/secd_connection.cpp:257 }

SMB1驱动程序正在使用命令行界面的域控制器上运行：

C:UsersAdministrator>sc qc srv [SC] QueryServiceConfig SUCCESS SERVICE_NAME: srv TYPE : 2 FILE_SYSTEM_DRIVER START_TYPE : 2 AUTO_START <<<<<< IF THIS IS DEMAND_START, then change it back to AUTO_START

ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : System32DRIVERSsrv.sys LOAD_ORDER_GROUP : Network TAG : 0 DISPLAY_NAME : Server SMB 1.xxx Driver DEPENDENCIES : srv2 SERVICE_START_NAME :

:UsersAdministrator>sc query srv SERVICE_NAME: srv TYPE : 2 FILE_SYSTEM_DRIVER STATE : 4 RUNNING <<<<<< IF THIS IS STOPPED, then SMB1 DRIVER IS NOT RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0