使用Kerberos访问CIFS共享失败

最后更新
另存为PDF

Views:: 33

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: cifs<a>2009-242497</a>

Last Updated:

适用场景

ONTAP 9
SMB/CIFS
smbclient
Windows 10

问题描述

smbclient无法连接到CIFS共享

user@linux:~$ smbclient -k //cifsshare.cifs.lab.netapp.com/foldername gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/cifsshare.cifs.lab.netapp.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER session setup failed:NT_STATUS_INVALID_PARAMETER user@linux:~$ kvno -S cifs cifsshare.cifs.lab.netapp.com kvno: Server not found in Kerberos database while getting credentials for cifs/cifsshare.cifs.lab.netapp.com@cifs.lab.netapp.com

Windows客户端可以通过UNC访问SVM testsvm上的共享\\cifsshare.cifs.lab.netapp.com\foldername、但ONTAP 指示NTLMv2身份验证、而不是Kerberos

cluster::> cifs connection show -node node-01 -vserver testsvm

Node: Node-01

Vserver: Testsvm

Connection Session Workstation

ID IDs Workstation IP Port LIF IP

------------ ----------------------- -------------- ----- ------------

214212346928 73442240404030430430430 192.168.0.1 55283 192.168.0.10

cluster::> cifs session show -node node-01 -vserver testsvm -instance

Vserver: Testsvm

Node: Node-01

Session ID: 214212346928

Connection ID: 73442240404030430430430

[...]

Authentication Mechanism: NTLMv2

[...]

已发现KDC并可访问
通过IP和FQDN (nslookup)验证DNS是否正确
SECD跟踪表示在不进行Kerberos身份验证的情况下直接尝试NTLMv2身份验证

[kern_secd:info:10057] | [000.000.022] debug: Worker Thread 34507227648 processing RPC 151:secd_rpc_auth_extended with request ID:21167 which sat in the queue for 0 seconds. { in run() at src/server/secd_rpc_server.cpp:2306 } [kern_secd:info:10057] | [000.000.042] debug: Setting thread context. VServerId = 7 (name='testsvm'), Protocol = CIFS, lifId = 0 { in setThreadContext() at src/utils/secd_thread_data_manager.cpp:415 } [kern_secd:info:10057] | [000.000.053] debug: Setting client info Module = 1 { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:513 } [kern_secd:info:10057] | [000.000.060] debug: Setting client info Op = 0 { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:517 } [kern_secd:info:10057] | [000.000.066] debug: Setting client info OpInstanceId = 197 { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:521 } [kern_secd:info:10057] | [000.000.073] debug: Setting client info Client IP = xxxxxxxxxxxxx { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:525 } [kern_secd:info:10057] | [000.000.081] debug: secd_rpc_auth_extended_1_svc called with vserver = testsvm { in secd_rpc_auth_extended_1_svc() at src/authentication/secd_rpc_auth.cpp:1219 } [kern_secd:info:10057] | [000.000.162] info : Login attempt by domain user 'pii_encrypt/u/xxxxxxxxxx=/pii_encrypt' using NTLMv2 style security

SVM计算机帐户的SPN不会列出用于访问共享的FQDN (cifsshare.cifs.labnetapp.com)

C:\> setspn -Q host/testsvm Checking domain DC=cifs,DC=lab,DC=netapp,DC=com CN=10-53-21-46,CN=Computers,DC=cifs,DC=lab,DC=netapp,DC=com HOST/testsvm HOST/testsvm.cifs.lab.netapp.com CIFS/testsvm.cifs.lab.netapp.com