Article Number: 000057184
When attempting to log into a domain joined CIFS server from a trusted domain the user is either logged in as local guest or denied access depending on how the environment is configured.
By default the VNXe, VNX, and Unity systems do not accept authentication requests from domains that are not in our trusted domain list that we pull from the domain controller. Instead of attempting to authenticate the user we deny the request immediately without sending the request to the DC. Some settings will allow guest logins and the user will be logged in as guest, other settings deny the login attempt entirely.
There is a hidden parameter that can be adjusted by support to allow authentication from domains outside of our trusted domain list.
It can be checked wither the user is logging in as guest with the server_cifs -audit command. (Note: The user may also be just getting denied access to log in entirely.)
On VNX/VNX2 run the following command:
server_cifs <DM_or_VDM_name> -o audit
On VNXe/Unity run the following command:
svc_cifssupport <DM_or_VDM_name> -audit
Those commands can be run alone but its going to be hard to find the info you want for a specific client due to it dumping the list of sessions for all connected clients on that VDM or physical datamover (Note: if run on the physical DM it will not display the sessions of the VDM's on that datamover it needs to be run on the VDM if you want to display connections from CIFS servers hosted from a VDM.). Its generally easier to read the output if you pipe it to less or grep. you should see something similar to the following if a domain user from a trusted domain is actually being logged in as local guest:
||| SMB2 session Id=0x5a060dd600001b35, 1 channel(s)
||| Uid=0x1b35 NTcred(0x0008aba528 RC=8 NTLMSSP Capa=0x10921) 'Nasserver\guest'
|||| AUDIT Ctx=0x0123ffae748, ref=2, Client(WINHOST) Port=49507/445
||| NASSERVER[DOMAIN] on if=5_APM0152832907
||| CurrentDC 0x000265d0e8=DC01
||| Proto=SMB2.10, OS 6.1 Build 7601, MaxReadWriteSz=0x100000, MaxTransactSz=0x100000, popupMsg=1
||| SrvCapa=0x7, CltCapa=0x0, SrvSecMode=0x1, CltSecMode=0x1
||| Client GUID=ddc8213d-c727-11e7-95aa-0872a92709
||| SMB2 credits: Granted=31, Max=512
||| 0 FNN in FNNlist NbUsr=1 NbCnx=1
|| Cnxp(0x00afd77eb8), Name=share, cUid=0x12235 Tid=0x2, Ref=1, Aborted=0
| readOnly=0, umask=22, opened files/dirs=1
| types=Global - - - - - CA - -
| Absolute path of the share=\Data\share
The easiest way to get the information would be to grep out the hostname or IP address and put a B1 flag before it or pipe it to less and use / to find the appropriate hostname or IP address.
Example:
server_cifs VDM01 -o audit |grep -B1 -i WINHOST
||| Uid=0x1b35 NTcred(0x099237ab28 RC=8 NTLMSSP Capa=0x10921) 'Nasserver\guest' <--- Logged in as local guest
|||| AUDIT Ctx=0x0123ffae748, ref=2, Client(WINHOST) Port=49507/445
Next check to see if there is a trusted domain in the domain list. VNXe/DellEMC Unity has a command to accomplish this, but VNX only has an engineering level command to view this information. if you need to check the trusted domain list on a VNX, please contact support and reference this KB article.
On VNXe/Unity:
root@spa:/cores/service>svc_cifssupport Mon-Nas-server -pdcdump
Mon-Nas-server : commands processed: 1
command(s) succeeded
output is complete
1511808222: SMB: 6: Dump DC for dom='DOMAIN' OrdNum=0
1511808222: SMB: 6: Domain=DOMAIN Next trusted domains update in 574 seconds
1511808222: SMB: 6: oldestDC:DomCnt=0,2 Time=Mon Nov 27 13:26:54 2017
1511808222: SMB: 6: Trusted domain info from DC='PEEPS-DC' (325 seconds ago)
1510346666: SMB: 6: Trusted domain:domain.trusted.com [TRUST] <---- Shows trusted domain information
GUID:fd42399-646d-23a-befc-2c7234b1dbd
1510346666: SMB: 6: Flags=0x27 Ix=0 Type=0x2 Attr=0x20
1510346666: SMB: 6: SID=S-1-5-15-222345affa-23454016-7332128
1510346666: SMB: 6: DC=' '
1510346666: SMB: 6: Status Flags=0x30 DCStatus=0x0,0
>DC=DC0x0007cc3a98 DC01[DOMAIN](5.6.7.250) ref=4 time(dns)=1 ms LastUpdt=Mon Nov 27 18:42:02 2017
KrbAccount=NASSERVER$@DOMAIN.COM Status=OK
AccCred=0x7f9edc48bc98,0x0007d1a988 Buf=0x7f9ef10e7018 L=2677 Flags=0x7
Pid=0000 Tid=0001 Uid=4004000007d SMB=0x210
Cnx=SUCCESS,DC request succeeded
logon=SecureChannelOK 1 SecureChannel(s):
[NASSERVER] Fid=0x30000001c9 CallID=0x5 Status=SUCCESS/SecureChannelOK
Capa=0x0 MxBufSz=0xffff MawRwSz=0xffff Nego=0x0000000000,L=0 Chal=0x0000000000,L=0,W2kFlags=0x33fd
refCount=4 newElectedDC=0x0000000000 forceInvalid=0
Discovered from: DNS
1511808222: ADMIN: 6: Command succeeded: pdc dump
If the trusted domain does not show up in the list most likely the domain controller is not sending us this trust when we send the DsrEnumerateDomainTrusts request to it. This may be able to be corrected on the DC by modifying the trust. Ensure that the trust is set up properly before moving to the solution on the storage end.
VNX/VNXe/Unity side solution:
If the trust is set up the way that it should be for your environment there is a solution on the storage end to change our default behavior. There is a hidden parameter that can be set to modify how we handle authentication requests from domains that we do not have in our trust list (by default we deny the login attempt without even sending it to the DC if we have no trust in the list for the domain the client is attempting to log in with. )
If this parameter is changed we will no longer deny login attempts without querying the DC if the domain is not present in our trust list. Instead we will send the authentication request to the active DC in the CIFS server's local domain as and NTLM authentication attempt and the DC will make the call whether or not to authenticate the user. Note that if the parameter is changed it may increase traffic to the DC , especially if there are a lot of logins that were previously being immediately denied due to missing domain trusts in our list. Generally the traffic increase is not a problem, but if it becomes one the parameter can be reverted back.
VNX/VNXe
20 Nov 2020
2
Solution