AnsweredAssumed Answered

Disable SMBv1 and can't authenticate to Active Directory

Question asked by Thinh Tran on Nov 29, 2017

Hi all,

 

I have a HNAS F1140 (two nodes) currently has system version at 5.0.0. The CIFS service currently has SMB 2.0 enable. Because of the wannacry risk, we recently disable SMBv1 from Windows Windows 2012 R2 using GPO. After that, the storage could not join or authenticate to AD server and drop all the shares that exports to users.

 

Go to the em_alertfile, I find the following log:

Error2017/11/16 17:50:23An attempt to access the server that used for user mapping has failed.KAQG52016-E

 

The /var/log/cifs/log.winbindd

[2017/11/16 11:39:53.537845, 1, pid=8030] winbindd/winbindd_cm.c:1575(cm_open_connection) cm_open_connection: Could not open a connection to xxx.abc.com: (NT_STATUS_CONNECTION_RESET) [2017/11/16 11:44:53.633705, 1, pid=8030] winbindd/winbindd_cm.c:857(cm_prepare_connection) cli_negprot failed: NT_STATUS_CONNECTION_RESET [2017/11/16 11:44:53.633847, 1, pid=8030] libsmb/conncache.c:189(add_failed_connection_entry) add_failed_connection_entry: added domain ABC (xxx.abc.com) to failed conn cache [2017/11/16 11:44:53.633933, 1, pid=8030] libsmb/conncache.c:189(add_failed_connection_entry) add_failed_connection_entry: added domain xxx.abc.com (xxx.abc.com) to failed conn cache [2017/11/16 11:44:53.638600, 1, pid=8030] winbindd/winbindd_cm.c:857(cm_prepare_connection) cli_negprot failed: NT_STATUS_CONNECTION_RESET

 

The /var/log/cifs/log.smbd

[2017/11/16 18:34:58.238296, 1, pid=9323] libsmb/cliconnect.c:2297(cli_start_connection) failed negprot: NT_STATUS_CONNECTION_RESET [2017/11/16 18:34:58.239610, 1, pid=9323] libsmb/cliconnect.c:2297(cli_start_connection) failed negprot: NT_STATUS_CONNECTION_RESET

 

Does anyone know the root cause and how can I fix it? Thanks in advance.

Outcomes