Solved

SMB signing problem between Windows and NetApp?

Posted on 2014-03-28
8
2,130 Views
Last Modified: 2014-04-03
Hi,
I have a number of users in another building accessing our central storage as a mapped share, lets say drive Z:. Randomly (mostly just once a day, always at different times) one ore some of them loose the connection to Z:. They still see Z: in explorer but can't access any directory or file. These people are not always the same. These users are using (still) XP and most of them Win7. We checked IP connectivity, DNS resolution, switches and firewall. Nothing to take care of there. Just our NetApp is reporting some error messages.

Thu Mar 27 13:56:26 CET [storage-01: ems.engine.inputSuppress:error]: Event 'cifs.trace.smbSignMismatch3' suppressed 4 times since Wed Mar 26 12:36:17 CET 2014.
:
Thu Mar 27 13:56:26 CET [storage-01: cifs.trace.smbSignMismatch3:error]: CIFS: Request from client 1.2.3.4 for operation 117 (tconX) was rejected because the client requested enforcement of security signatures (SMB signing) and the signature provided by the client did not match the value calculated by the filer.

Open in new window


We are running SMBv2 at NetApp.

There is another error message, where I'm not sure if it has something to do with my problem.

Thu Mar 27 09:33:41 CET [storage-01: auth.trace.authenticateUser.loginTraceIP:info]: AUTH: Login attempt by user pc08$ of domain DOMAIN from client machine 1.2.3.4 (PC08).
:
Thu Mar 27 09:36:17 CET [storage-01: auth.trace.authenticateUser.loginRejected:info]: AUTH: Login attempt by user rejected by the domain controller with error 0xc0000064: DC indicates user is not from a trusted domain.

Open in new window


Here I'm not sure if this message belongs to the one before. There is a gap of nearly 3 minutes.

Is there anybody out there who had solved such a problem in the past? Thanks for any hints.

Regards

Olaf
0
Comment
Question by:olaf_joerk
  • 4
  • 4
8 Comments
 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
Looks like you're having AD replication issues and your users are authenticating against a domain controller that isn't recognized as trusted by the filer.  This is very common... that is to say I see this kind of stuff frequently.

First step - on the users machine, from the command prompt, run "KLIST" to get the list of certificates the user/computer holds, and also run "echo %logonserver%" to get the name of the server that they logged into.

Gathering those two bits of information you'll start to see patterns.   One server is likely not generating Kerberos tickets that match the encryption/signing requirements of the NAS/filer.  The second error indicates that it doesn't recognize the user credentials/Kerberos ticket at all.  That is where you'll want to check the tickets, and the logon server.

Go to the logon server (domain controller) and verify that replication is taking place. Run the following commands from an elevated command prompt.
repadmin /syncall /Aedq
repadmin /syncall /AePdq

Ensure that all FSMO roles are held by an existing server.

I don't want to go into detail on AD repair until we are certain this is the issue.
0
 

Author Comment

by:olaf_joerk
Comment Utility
Thanks for your reply. I tested with two clients (I had access to) and the Logonserver was the right one. Klist gave me a list of cached certificates. But I don't know what to do with them.

At the domain controllers I checked replication and all was well. The FSMO roles point to our first domain controller. So far I can't see a problem.

BTW, I still entertain suspicion that the problem is name resolution related. But I haven't found anything concrete.
0
 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
I hope you kept a list of the certificates, and I trust the machines were having problems at that time?

Within the list of certs, what did the Kerberos ticket look like for that CIFS Share on the filer?  e.g.
#4>     Client: jrhelgeson @ FOO.LOCAL
        Server: cifs/NETApp.FOO.local @ FOO.LOCAL
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
        Start Time: 3/28/2014 8:13:12 (local)
        End Time:   3/28/2014 18:12:15 (local)
        Renew Time: 4/4/2014 8:12:15 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

Open in new window

0
 

Author Comment

by:olaf_joerk
Comment Utility
At the moment the computer doesn't have problems. The ticket looks like:

#2>   Client: user @ DOMAIN.NAME
        Server: cifs/STORAGE-01 @ DOMAIN.NAME
        KerbTicket (Encryption Type): RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 3/28/2014 16:25:25 (local)
        End Time:   3/29/2014 2:25:25 (local)
        Renew Time: 4/4/2014 13:31:23 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

Open in new window


Apart from Ticket Flag and Session Key Type all looks the same. Is the number significant? All tickets had similar entries. Shall I look only to klist output if the computer has problems?
Thanks for your support. Wish you a nice weekend.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
The number only signifies the numerical order so you can find it/reference it easier.  No significance outside that.

What is curious is that the ticket only has the device name, not the FQDN (on line 2).  Server: cifs/STORAGE-01 @ DOMAIN.NAME - versus -
Server: cifs/STORAGE-01.DOMAIN.NAME @ DOMAIN.NAME

Also, the encryption type for the session key - last line, that one is important.

I take it this was on a machine that was working?  You'll need to do this on a machine when it doesn't work to compare.

Also; Are you using WINS in this environment?  It could be that the filer isn't able to see back to the machine because it cannot 'see' it without the FQDN for a DNS lookup.

Ensure that your DHCP server is registering leases with the DNS server, and removes those DNS/PTR records when the lease is expired.  Also ensure that the filer has the FQDN info and is pointing to valid DNS servers.
0
 

Author Comment

by:olaf_joerk
Comment Utility
Ok, I asked the the staff with problems in the remote location to send me the klist output, if problems occur again. We are using WINS. The DHCP server is registering/removing leases with the DNS server. The filer points to valid DNS servers.

I'll wait for the user output ...
0
 
LVL 15

Accepted Solution

by:
jrhelgeson earned 500 total points
Comment Utility
Does DNS do a WINS lookup to resolve addresses?  (IT's a setting within DNS server).

It really does sound like it could also potentially be a WINS issue.  Check replication and check the integrity of the WINS database.
0
 

Author Comment

by:olaf_joerk
Comment Utility
Hi,
you pointed into the right direction. It was a WINS- AND DNS-problem. We sorted it out.
We had a broken WINS replication and one of the name servers treated our computers as externals and so it did not give out the internal view. It's all fixed now. Thank you for your support.

Regards

Olaf
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now