Unsolved
This post is more than 5 years old
5 Posts
0
5420
Failure of resolving SIDs in properties of objects on Celerra NS-120 shares
Hi, Community!
I am asking for your help. A couple weeks ago we have got a strange problem with our Celerra NS-120. On this Celerra we have CIFS server joined to the domain with several shares on it. If we try to add/modify security properties of any object on the CIFS share, resolving of SIDs to user/group names does not working. At the same time we can add to the ACLs new users/groups by its name. But after applying changes resolving for this users/groups does not working again. We have rejoined CIFS server to the domain, but that did not recovered the situation.
server_checkup gives the domain connectivity error:
[root@tb-nas-01 ~]# /nas/bin/server_checkup server_2 -test cifs -subtest DC -full
server_2 :
------------------------------------Checks--------------------------------------
Component CIFS :
DC : Checking the connectivity and configuration of Domain Controlle Fail
--------------------------------------------------------------------------------
------------------------------CIFS : DC Warnings--------------------------------
Warning 17455906880: server_2 : The compname '0800tbfs01' received the GSSAPI error 'Miscellaneous failure. Server not found in Kerberos database. ' from DC '*SMBSERVER' when trying to get the compname account credential (step 'Logon IPC$). This is a Kerberos issue. Operations on Active Directory like join or GPO queries might fail.
--> Check time synchronization between server and DC. Check DC is a valid Microsoft Domain Controller. Check domain or Domain Controller access policies. As a workaround, clear Kerberos credential on server cache after resetting compname account password in Active Directory.
Warning 17455906880: server_2 : The compname '0800tbfs01' received the GSSAPI error 'Miscellaneous failure. Server not found in Kerberos database. ' from DC '*SMBSERVER' when trying to get the compname account credential (step 'Logon IPC$). This is a Kerberos issue. Operations on Active Directory like join or GPO queries might fail.
--> Check time synchronization between server and DC. Check DC is a valid Microsoft Domain Controller. Check domain or Domain Controller access policies. As a workaround, clear Kerberos credential on server cache after resetting compname account password in Active Directory.
Warning 17455906880: server_2 : The compname '0800tbfs01' received the GSSAPI error 'Miscellaneous failure. Server not found in Kerberos database. ' from DC '*SMBSERVER' when trying to get the compname account credential (step 'Logon IPC$). This is a Kerberos issue. Operations on Active Directory like join or GPO queries might fail.
--> Check time synchronization between server and DC. Check DC is a valid Microsoft Domain Controller. Check domain or Domain Controller access policies. As a workaround, clear Kerberos credential on server cache after resetting compname account password in Active Directory.
--------------------------------------------------------------------------------
-------------------------------CIFS : DC Errors---------------------------------
Error 13160939579: server_2 : PingDC failure: The compname '0800tbfs01' could not successfully contact the DC '*SMBSERVER'. Failed to access the pipe NETLOGON at step Open NETLOGON Secure Channel: Action failed with status=INVALID_COMPUTER_NAME
--> Check domain or Domain Controller access policies. For NetBIOS servers, ensure that 'allow pre-Windows 2000 computers to use this account' checkbox is selected when joining the server to the Windows 2000 domain.
Error 13160939579: server_2 : PingDC failure: The compname '0800tbfs01' could not successfully contact the DC '*SMBSERVER'. Failed to access the pipe NETLOGON at step Open NETLOGON Secure Channel: Action failed with status=INVALID_COMPUTER_NAME
--> Check domain or Domain Controller access policies. For NetBIOS servers, ensure that 'allow pre-Windows 2000 computers to use this account' checkbox is selected when joining the server to the Windows 2000 domain.
Error 13160939579: server_2 : PingDC failure: The compname '0800tbfs01' could not successfully contact the DC '*SMBSERVER'. Failed to access the pipe NETLOGON at step Open NETLOGON Secure Channel: Action failed with status=INVALID_COMPUTER_NAME
--> Check domain or Domain Controller access policies. For NetBIOS servers, ensure that 'allow pre-Windows 2000 computers to use this account' checkbox is selected when joining the server to the Windows 2000 domain.
--------------------------------------------------------------------------------
Total : 3 errors, 3 warnings
[root@tb-nas-01 ~]# /nas/bin/server_cifs server_2
server_2 :
256 Cifs threads started
Security mode = NT
Max protocol = SMB2
I18N mode = UNICODE
Home Directory Shares DISABLED
Usermapper auto broadcast enabled
Usermapper[0] = [127.0.0.1] state:active (auto discovered)
Enabled interfaces: (All interfaces are enabled)
Disabled interfaces: (No interface disabled)
Unused Interface(s):
if=10-112-242-49 l=10.112.242.49 b=10.112.242.63 mac=0:60:16:45:ea:10
DOMAIN ADMSK FQDN=OURDOMAIN SITE=0800-Sibir RC=38
SID=S-1-5-15-28df522f-33ab7e84-936e9687-ffffffff
DC**SMBSERVER(10.112.99.41) ref=67 time=0 ms (Closest Site)
DC**SMBSERVER(10.112.99.46) ref=58 time=0 ms (Closest Site)
DC**SMBSERVER(10.112.99.11) ref=28 time=0 ms (Closest Site)
DC**SMBSERVER(10.96.25.85) ref=2 time=0 ms
DC**SMBSERVER(10.96.80.5) ref=2 time=0 ms
DC**SMBSERVER(10.84.168.16) ref=2 time=0 ms
DC**SMBSERVER(10.84.168.17) ref=2 time=0 ms
DC**SMBSERVER(10.34.6.1) ref=2 time=0 ms
DC**SMBSERVER(10.34.6.2) ref=2 time=0 ms
DC**SMBSERVER(10.0.86.148) ref=2 time=0 ms
DC**SMBSERVER(10.0.49.25) ref=2 time=0 ms
DC**SMBSERVER(10.0.129.251) ref=2 time=0 ms
DC**SMBSERVER(10.73.8.123) ref=2 time=0 ms
DC**SMBSERVER(10.73.1.204) ref=2 time=0 ms
DC**SMBSERVER(10.73.5.188) ref=2 time=0 ms
DC**SMBSERVER(10.73.0.41) ref=2 time=0 ms
DC**SMBSERVER(10.188.43.97) ref=2 time=0 ms
DC**SMBSERVER(10.188.43.98) ref=2 time=0 ms
DC**SMBSERVER(10.16.166.121) ref=2 time=0 ms
DC**SMBSERVER(10.40.164.100) ref=2 time=0 ms
DC**SMBSERVER(10.40.93.39) ref=2 time=0 ms
DC**SMBSERVER(10.147.66.4) ref=2 time=0 ms
DC**SMBSERVER(10.147.39.55) ref=2 time=0 ms
CIFS Server 0800TBFS01[ADMSK] RC=195
Full computer name=0800tbfs01.OURDOMAIN realm=OURDOMAIN
Comment='EMC-SNAS:T6.0.70.4'
if=10-112-242-50 l=10.112.242.50 b=10.112.242.63 mac=0:60:16:45:ea:10
FQDN=0800tbfs01.OURDOMAIN (Updated to DNS)
Password change interval: 86340 minutes
Last password change: Mon Sep 5 11:39:03 2016 GMT
Password versions: 3
-------------------------------------------------------------------------------
CIFS service of VDM FS-NMD2 (state=loaded)
Home Directory Shares DISABLED
[root@tb-nas-01 ~]#
umichklewis
1.2K Posts
0
September 8th, 2016 06:00
It seems like something is amiss with the computer object for the NAS in AD. The "status=INVALID_COMPUTER_NAME" error may result when the CIFS server name no longer matches the Workstation object in AD, or the AD object is somehow modified (i.e., it was operated on by a GPO).
The EMC document "Configuring and Managing CIFS on Celerra" will have more details, but you'll want to investigate using the "server_cifs" command to reset the CIS serve password and encryption keys. This will should update the credentials used by the computer object in AD. You should probably do this during a period of low usage or off hours.
Let us know how it goes!
Karl
JustHmm
5 Posts
0
September 8th, 2016 19:00
Hi, Karl!
Thank you for your answer. Will help disabling/enabling CIFS via web-interface?
Rainer_EMC
8.6K Posts
0
September 9th, 2016 02:00
You can try but I don’t think itls likely
You need to troubleshoot via CLI and looking at the data mover logs – or opening a service request with EMC customer service
Looking for changes done on the domain controller or DNS/LDAP when it stopped working would also make sense
for example whether you disabled CIFSv1 on your DC or changed GPO's
JustHmm
5 Posts
0
September 11th, 2016 23:00
Hi, Peter_EMC!
As our domain support team answered, domain is W2008R2 type on W2012 servers.
Peter_EMC
674 Posts
0
September 11th, 2016 23:00
What type of windows domain is this? W2008, W2012?, Samba?
JustHmm
5 Posts
0
September 12th, 2016 00:00
Hi, Rainer_EMC!
Unfortunately our Celerra is out of official support now already. And our AD-team is silent about any changes in AD.
Will disabling/enabling CIFS preserve configured shares, i.e. not destroy them? As I already says in the initial email we rejoined the Celerra to domain without success. Is it not the same as reset server password and encryption keys? And sometimes (rare occurences) some SIDs get resolved to user/group names.
JustHmm
5 Posts
0
September 12th, 2016 05:00
Hi!
I have tried to restart service CIFS via
server_setup server_2 -Protocol cifs -option stop
server_setup server_2 -Protocol cifs -option start
I have tried to reset password and encryption keys via
server_cifs server_2 -Join compname=0800tbfs01,domain=OURDOMAIN,admin=ADMACCOUNT -o resetserverpasswd
None of the above are helped
server_2 :
256 Cifs threads started
Security mode = NT
Max protocol = SMB2
I18N mode = UNICODE
Home Directory Shares DISABLED
Usermapper auto broadcast enabled
Usermapper[0] = [127.0.0.1] state:active (auto discovered)
Enabled interfaces: (All interfaces are enabled)
Disabled interfaces: (No interface disabled)
Unused Interface(s):
if=10-112-242-49 l=10.112.242.49 b=10.112.242.63 mac=0:60:16:45:ea:10
DOMAIN ADMSK FQDN=OURDOMAIN SITE=0800-Sibir RC=10
SID=S-1-5-15-28df522f-33ab7e84-936e9687-ffffffff
DC**SMBSERVER(10.112.99.41) ref=18 time=0 ms (Closest Site)
DC**SMBSERVER(10.112.99.11) ref=17 time=0 ms (Closest Site)
>DC**SMBSERVER(10.112.99.46) ref=13 time=0 ms (Closest Site)
CIFS Server 0800TBFS01[ADMSK] RC=39
Full computer name=0800tbfs01.OURDOMAIN realm=OURDOMAIN
Comment='EMC-SNAS:T6.0.70.4'
if=10-112-242-50 l=10.112.242.50 b=10.112.242.63 mac=0:60:16:45:ea:10
FQDN=0800tbfs01.OURDOMAIN (Updated to DNS)
Password change interval: 86340 minutes
Last password change: Mon Sep 12 11:47:26 2016 GMT
Password versions: 4, 3
-------------------------------------------------------------------------------
CIFS service of VDM FS-NMD2 (state=loaded)
Home Directory Shares DISABLED
[root@tb-nas-01 ~]#
In logs everywhere there is reference to *SMBSERVER. From whence this name can appear?
p.s. How can I attach logs to the message?
umichklewis
1.2K Posts
0
September 12th, 2016 06:00
The SMBSERVER line in your output should correspond with the DNS name of your DCs, as below:
[nasadmin@vnx-test-cs0 ~]$ server_cifs server_2
server_2 :
256 Cifs threads started
Security mode = NT
Max protocol = SMB2
I18N mode = UNICODE
Home Directory Shares DISABLED
Usermapper auto broadcast enabled
Usermapper[0] = [127.0.0.1] state:active (auto discovered)
Enabled interfaces: (All interfaces are enabled)
Disabled interfaces: (No interface disabled)
Unused Interface(s):
if=archiveIF l=10.200.130.182 b=10.200.143.255 mac=0:60:16:c:13:cd
if=10_200_212_21 l=10.200.212.21 b=10.200.212.255 mac=0:60:16:c:13:cd
DOMAIN TEST-REALM FQDN=test-realm.net SITE=Default-First-Site-Name RC=42
SID=S-1-5-15-3bf5e32-1bf86335-37e52ff9-ffffffff
>DC=TESTDC1(10.134.3.91) ref=3840 time=10 ms (Closest Site)
>DC=TESTDC2(10.134.3.125) ref=2371 time=5 ms (Closest Site)
>DC=NEWDC1(10.204.1.24) ref=3 time=17 ms (Closest Site)
>DC=TESTDC3(10.134.3.90) ref=2249 time=2 ms (Closest Site)
>DC=TESTDC4(10.134.3.126) ref=2610 time=8 ms (Closest Site)
DC=OLDDC1(10.140.16.10) ref=2 time=8 ms (Closest Site)
>DC=NEWDC1(10.200.132.95) ref=4640 time=12 ms (Closest Site)
CIFS Server CELERRA_CIFS_SE[TEST-REALM] RC=9345 (local users supported)
Full computer name=celerra_cifs_server.test-realm.net realm=test-realm.net
Comment='EMC-SNAS:T6.0.51.6'
if=10_134_3_87 l=10.134.3.87 b=10.134.3.255 mac=0:60:16:c:3b:be
FQDN=celerra_cifs_server.test-realm.net (Updated to DNS)
if=10_200_130_225 l=10.200.130.225 b=10.200.143.255 mac=0:60:16:c:13:cc
FQDN=celerra_cifs_server.test-realm.net (Updated to DNS)
Password change interval: 0 minutes
Last password change: Tue Nov 20 19:18:52 2007 GMT
Password versions: 2
Peter_EMC
674 Posts
1
September 13th, 2016 05:00
The placeholder SMBSERVER is replaced with the real hostname, when the datamover is communicating with the DC.
The name is not taken from DNS
umichklewis
1.2K Posts
0
September 13th, 2016 12:00
Ahh - good to know, Peter! So I assume then this means the poster's NS120 is not communicating with its DC, then?
Peter_EMC
674 Posts
0
September 13th, 2016 23:00
@Karl take a look here, it is a while ago, but ... Re: server_cifs results
Yes, not sure if it means not communicating with the SMBSERVER, or not communicating correctly in a DC context.
As this is W2012, is SMB1 enabled on the DCs? Out of the box it is disabled.