File Storage

 View Only
Back to discussions
Expand all | Collapse all

HNAS CIFS/EVS Domain Controller authentication issue after migration - resolved by Remote SAM policy

  • 1.  HNAS CIFS/EVS Domain Controller authentication issue after migration - resolved by Remote SAM policy

    Posted 3 hours ago
    Edited by Ilija Marinkovic 3 hours ago

    Hi everyone,

    I wanted to share a resolved HNAS CIFS/EVS authentication issue in case it helps someone else.

    We had a problem after performing an EVS / CIFS migration from an older storage pool to a new one. New EVSs and CIFS serving names were created, and file share data was migrated using object replication.

    After the migration, one of the existing CIFS serving names continued to work normally, but the newly created CIFS serving names had issues communicating properly with the Domain Controllers.

    Symptoms we observed:

    • The CIFS computer object existed in Active Directory.
    • DNS A records pointed to the correct EVS IP addresses.
    • Time / NTP was aligned with the Domain Controllers.
    • Kerberos authentication appeared to work.
    • Windows clients could obtain a valid cifs/<CIFS_NAME> Kerberos ticket.
    • Linux clients using Kerberos could list shares successfully.
    • However, password / NTLM-style access failed with errors such as:
      • STATUS_NO_LOGON_SERVERS
      • NT_STATUS_IO_TIMEOUT
      • NT_STATUS_LOGON_FAILURE
    • On HNAS, cifs-dc get showed authentication issues.
    • cifs-dc list -v showed Protocol Error / failed DC polling history for the affected CIFS serving names.

    The key finding was that the working older CIFS serving name was already allowed in the Active Directory policy:

    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Restrict clients allowed to make remote calls to SAM

    The new CIFS serving name computer objects were not included in this policy.

    After adding the relevant HNAS/CIFS computer objects, and the domain account used for HNAS authentication, with "Remote Access" permission in this policy, the issue was resolved.

    After Group Policy was applied on the relevant Domain Controllers, HNAS was able to authenticate and communicate with the DCs correctly, and the CIFS share access started working as expected.

    Useful checks:

    On the Domain Controller, check the current policy value:

    reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RestrictRemoteSam

    On HNAS, check DC status with:

    cifs-dc list -v

    and:

    cifs-dc get

    In our case, the problem was not DNS, NTP, Kerberos SPN, or the CIFS computer object itself. Kerberos was working, but the SAMR / NetLogon / Remote SAM path was being restricted by the AD security policy.

    Hope this helps someone troubleshooting similar HNAS CIFS / DC authentication issues.


    #NAS5000Series

    ------------------------------
    Ilija Marinkovic
    Unicom-Telecom d.o.o.
    ------------------------------