The link you posted above does not work. What will happen if we disable NTP? how will it impact the filers?
↧
Re: NFS, NTP and NetApp Mode 7
↧
Re: CIFS without Active Directory
You also need to check MTU settings on host and netapp storage . Need to be matched
↧
↧
Re: NFS, NTP and NetApp Mode 7
Correct links are https://security.netapp.com/advisory/ntap-20171004-0002/ and https://security.netapp.com/advisory/ntap-20171004-0001/
You should not disable NTP - It will break SMB as the clock drifts and make analysing system incidents more difficult
↧
Re: LACP recalculation - loosing connectivity when port down in LACP
IP fast path will give random connectivity issues if HSRP and NetApp 10Gb ports are in use.
Turning ip.fastpath off fixed it immediately
↧
CIFS only Domain Admin has Access
We’ve noticed a problem with our NetApp where if we make a change to a user’s groups via NIS the NetApp seems to take days to pick up the change.
This morning we added one of our users to an existing Linux group that’s under NIS control, we update the NIS maps as normal but then noticed that the user didn’t have access to the files protected by that group.
Looking into this further we can see that the user is in the group on any of our Linux clients, the user is ‘wrae’ and the group is called ‘facilities’:-
$ id wrae
uid=967(wrae) gid=1009(wrae) groups=1009(wrae),851(swrecruit),1012(purchasing),560(facilities),952(managementteammeeting),978(swinterviewfeedback),100(users),561(vpn)
If we lookup the user on the NetApp we get this:-
ukcamsnetapp::*> vserver services name-service getxxbyyy getgrlist -node ukcamsnetapp1 -vserver UKCAM_CIFS -username wrae
pw_name: wrae
Groups: 1009 851 1012 100 978 952 561
*Note that group 560 is missing!
Interestingly if we lookup the group on the NetApp ‘wrae’ is listed as part of the group??:-
ukcamsnetapp::*> vserver services name-service getxxbyyy getgrbyname -node ukcamsnetapp1 -vserver UKCAM_CIFS -groupname facilities
name: facilities
gid: 560
gr_mem: adh cparsons lmurfet jeaves johnlee nhills kgolebiowska istacey kkowaki aroebuck nsakita mgerdauskas nfleet alacel-suchecka dking ksaul cwilson mwalenczykowski bkozak mtarnawska-pysz sbrown rhewson dgelzinyte mmcloughlin wrae
We first noticed this problem about a week ago, we added a new Linux group and added some users to it. Again the group was visible from our Linux clients but not the NetApp.
We ended up leaving the problem over the weekend and on the Monday (or possible Tuesday) the problem had fixed it’s self (group was now visible from the NetApp)
Is there a time out period for this to happen?
↧
↧
Re: CIFS only Domain Admin has Access
Let me hopefully save you a lot of troubleshooting time, I just went through this exact issue about a month ago.
By default, ONTAP rebuilds its local NIS group database once every 24 hours. You can see this by running the "vserver services name-service nis-domain group-database config show" command in diagnostic mode. You can also see the last build time of the local NIS group database by running the "vserver services name-service nis-domain group-database status" command.
You may want to change the frequency that ONTAP rebuilds this database - it can be done using the "vserver services name-service nis-domain group-database config modify -vserver <vserver_name> -state enabled -build-interval <interval_in_minutes> command.
Alternatively, you could modify your ns-switch configuration to query NIS first and then local files second using the "vserver services name-service ns-switch modify" commands, supplying the appropriate values.
Finally, here is a KB article that explains it:
Hope that helps!
Donny
↧
Qtree failure to delete
Hello everyone,
Currently we are running netapp version 7.2.4, on trying to remove the qtree, it fails to delete because the Directory not empty, removed some files, others refused. Tried following https://community.netapp.com/t5/Network-Storage-Protocols-Discussions/Delete-Qtree-Not-Empty/td-p/78103. But still didn't succeed.
Thanks in advance
↧
Help commands
problems, to find the support for the cn1610 team, I need to download the firewall and I also need to delete all the configuration of a single port to leave it default but without affecting the whole team.
↧
Re: Help commands
I'm not exactly certain what you mean by "download the firewall" (if you can elaborate I'll be happy to try to help), but you can find the port configuration commands - and perhaps the answer to your other question - in the CN1610 Administrator's Guide at: https://library.netapp.com/ecm/ecm_download_file/ECMP1117874
↧
↧
Access a CIFS Share from a different domain, failed
I have a user attempting to access a CIFS share from a different domain. The domain is trusted. And the user authenticates to the domain controllers successfully. But then fails when attempting CIFS authentication on the NetApp. Any guidance would be greatly appreciated.
The error message in the Logs:
Login attempt by domain user "***\***" using NTLMv2 style security [176] Successfully connected to IP *.*.*.*, port 445 using TCP [360] Successfully authenticated with DC ***.*** [2524] FAILURE: Pass-through authentication failed. (Status: 0xC000005E) [2524] CIFS authentication failed [2524] Retry requested, but maximum attempts (3) reached; giving up.
Using AFF300 ontap 9.5p3
CIFS is currently using client session security over LDAP set to "Seal".
↧
Re: Access a CIFS Share from a different domain, failed
Hi Shelton,
Error 0xC000005E decodes to STATUS_NO_LOGON_SERVERS.
I would suggest we check few things as stated below :
To check if SVM is connected to DC's.
::> set di -c off ; rows 0
::*>vserver cifs domain discovered-servers show -vserver <svm> -node <node_hosting_data_lif>
To check domain trusts:
::*>vserver cifs domain trust show -vserver <svm>
Check creds for the user :
::*> diag secd authentication show-creds -vserver <svm> -node <node_hosting_data_lif> -win-name <domain\user>
Also a secd log and a packet trace would help to further narrow down the issue.
I would suggest to open a ticket with support and share the logs for further analsysis.
↧
Re: vserver audit Admin share
Hi ,
c$ and admin$ are administrative shares and are hidden. Only administrators have access to these shares.
We cannot set share permissions and file security on these shares.
Do you know what do we want to audit in these shares ?
↧
LACP not recommended for iSCSI?
Is it true what I have been told in the past that LACP in a interface group should not be used for SAN protcols like iSCSI between a NetApp filer and a stack of switches what then connect to servers and that instead only MPIO should be used to provide resilience to servers coonnecting to a NetApp SAN using iSCSI?
In other words, when is LACP or the use of Interface Groups not reccomnded despite being technicly possible.
Either way, can you please provide a NetApp based source to what is recomencded / not reccomnded in relation to the above.
Regards: Elliott.
↧
↧
Re: LACP not recommended for iSCSI?
Hi,
is the note in the middle of page 12 answers your concern?
https://www.netapp.com/us/media/tr-4182.pdf
Gidi
↧
Top 10 NFS Issues and Solutions
This article helps to identify the most common NFS issues and solutions. Provide your valuable feedback if you would like to get an NFS issue included in the sections below. The most common issues can be broken down to the following categories:
↧
Re: CIFS: Mount share on SLES with SMB 2.x does not work
We have the same issue, has there been a resolution?
↧
Re: Unable to access CIFS share by name
So what is the fix for this? We are having this issue as well in our environment.
We have 2008 R2 DC's in one site and 2012 R2 DC's in another. The site with 2012 R2 DC's is not having issues, but the other is.
Any idea's?
↧
↧
Re: Unable to access CIFS share by name
Hi,
I would advise checking there is an AD group policy that sets the SMB signing client configuration in combination with setting the a default authentication security level for you CIFS vserver. You would need to determine the correct configuration for your environment that enables all clients to connect based on the operating systems you are using. Some links to the docs:
Also if you are accessing the CIFS vserver via a DNS CName alias ensure you have set an SPN on the AD computer object to ensure clients are able to authenticate via Kerberos rather than reverting to NTLM.
/Matt
↧
Re: CIFS not joining AD domain
After setting
set -privilege advanced , i am unable to run the below command.
qasvm::vserver cifs*> vserver cifs security modify -vserver qasvm -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
Error: invalid argument "-vserver"
My main purpose is to connect AD to Netapp when smb1 is disabled and smb2 is enabled.
Thanks
Siddharth
↧
Re: CIFS not joining AD domain
try running it at the cluster level, not the "vserver cifs" level. If you are running it while ssh'ed into the vserver level, you will likely need to just leave the "-vserver vservername" section out, because you are already in the vserver.
cluster::> cifs security modify -vserver <vserver> -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
or
vserver::> cifs security modify -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
↧