Home » Dell Manuals » Storage Devices » Dell VNX2 » Manual Viewer

Dell VNX2 Configuring and Managing CIFS on VNX VNX1-VNX2 - Page 20

Kerberos SPN Mismatch, password change.

Get Dell VNX2 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 20 highlights

Concepts Kerberos authentication uses a KDC to confirm the identity of a CIFS server that is attempting to communicate with a domain or trying to access Windows network services. Every computer, server, or client joined to a domain has a unique password associated with a computer account in the active directory (AD). A password authenticates the identity of a CIFS server that attempts to communicate with a domain controller. After you join a CIFS server to a domain or change the computer account password of a CIFS server, Kerberos generates a set of encryption and decryption keys that it shares with the domain controller. When the KDC receives an authentication request from a CIFS server, it performs authentication by decrypting the preauthentication data sent by the Data Mover with the decryption keys. If the decryption succeeds and the preauthentication data is accurate, the CIFS server is authenticated. After a CIFS server is authenticated, the KDC generates an initial ticket called the Ticket-granting Ticket (TGT), as shown in Figure 2 on page 20. The TGT is a special ticket that enables the CIFS server to request services to the KDC. Figure 2 Kerberos authentication CIFS server 1 Domain controller 2 (KDC) 1 Presents key for authentication 2 Verifies CIFS server and provides TGT CNS-000735 The Microsoft website provides a detailed description of Kerberos authentication. For domain configurations with multiple domain controllers, computer accounts and passwords are replicated to all domain controllers during AD replication. Because AD replication occurs at scheduled intervals, a delay in updating all the domain controllers with a new password can occur, possibly causing failed authentication attempts. The Data Mover retains a history of the new and old passwords of each CIFS server. When a Windows client attempts to open a new session with a Data Mover, the service ticket sent by the client is decrypted using the decryption key generated from the CIFS server computer account password. If the decryption fails, another attempt is made by using the key generated from the previous passwords. When a password is updated twice on the same domain controller or on different domain controllers without AD replication, the Data Mover only uses the first password update; it does not recognize the second password change. Set maximum number of passwords to retain in Kerberos authentication on page 66 provides procedural information. Kerberos SPN Mismatch CIFS allows Windows clients to connect to the Data Movers and mount shares. For Windows Server domains, Kerberos authentication is used as an authentication mechanism, although NTLM (pre-Windows 2000) authentication is still available, for backwards compatibility. When Kerberos authentication is not used or fails, the use of NTLM authentication significantly increases the load on the Windows domain controller. In addition, NTLM authentication is not considered to be as secure as Kerberos authentication. The Kerberos Workstream feature addresses this. If Kerberos is not configured correctly, that is, if SPNs do not exist or are out of sync and do not match the DNS hostname entries, the Kerberos authentication fails and the client may revert to NTLM to connect to the Data Mover. If this happens, the user has to be notified to diagnose and fix the issue. 20 EMC VNX Series VNX1, VNX2 Configuring and Managing CIFS on VNX

Section	Page
Contents	3
Preface	7
Introduction	9
System requirements	10
User interface choices	10
Related information	11
Use of the term Windows Server	11
Concepts	13
Active Directory	14
Windows environments	14
DNS servers	14
NTP servers	15
IPv6 best practices	15
Domain migration	15
Domain-joined and stand-alone CIFS servers	16
Network interfaces and CIFS servers	16
CIFS shares	17
International character support	18
Enable internationalization support	18
Quotas	19
Alias	19
Kerberos authentication	19
LDAP signing and encryption	21
Windows 2000 LDAP Registry setting	21
Windows Server 2003 LDAP security policy	22
Combining Windows settings with VNX ldap SecurityLayer	22
User authentication methods	23
User mapping	24
Local user and group accounts	25
Create local user accounts	25
Administrator accounts	27
Guest accounts	27
Other local user accounts	27
Virtual Data Movers	28
Group policy objects	28
GPO support on VNX	29
Support for restricted groups	31
Manage and enforce ACL	31
Delegating joins	32
Home directories	33
Permissions and security	33
Restrictions to using the home directory	35
Alternate data stream support	35
SMB protocol support	36
SMB signing	37
Symbolic links	37
SMB2 support for symbolic links	38
Opportunistic file locking	38
File change notification	39
Event log auto archive	40
SMB 3.0 protocol support	42
SMB 3.0 protocol support for Continuous Availability	42
Performance improvements with Windows 8	43
SMB encryption	45
Offload Copy for File	46
Planning considerations	46
BranchCache	47
SMB Hash File	48
Events generated by the SMB Hash File Generation	49
Performance of SMB hash generation	50
Impact of SMB hash generation	50
Configuring	51
Add a CIFS server to a Windows domain	52
Create a domain account in Active Directory	52
Add a WINS server	52
Start the CIFS service	53
Create a CIFS server for Windows Server environments	53
Join a CIFS server to a Windows domain	55
Join existing computer accounts	55
Verify the configuration	56
Mount a file system for CIFS access	56
Create shares for CIFS users	57
Create a local share	57
Create a global share	58
Create global shares with MMC or Server Manager	58
Verify shares	59
Provide the network password when performing management tasks	60
Create a stand-alone CIFS server	60
Create a CIFS share on MAC OS by using the GUI	61
Create a CIFS share on MAC OS manually	62
Managing	65
Set maximum number of passwords to retain in Kerberos authentication	66
Change the LDAP security level	66
Check the current CIFS configuration	67
Check a CIFS configuration and its dependencies	68
Manage CIFS servers with local users support	69
Enable local user support on a domain CIFS server	69
Enable local user support using Unisphere	70
Change the password for the local Administrator account	70
Access and manage a CIFS server within the same domain	71
Access and manage a stand-alone CIFS server within a workgroup environment	71
Enable the Guest account on a stand-alone server	72
Delete a stand-alone server	72
Rename a NetBIOS name	73
Rename a compname	74
Assign a NetBIOS or computer name alias	75
Add a NetBIOS alias to a CIFS server	75
Add a NetBIOS alias to the NetBIOS name	75
Delete a CIFS server alias	76
Delete a NetBIOS alias	76
View aliases	77
Associate comments with CIFS servers	77
Add comments to a CIFS server in a Windows Server environment	78
Clear comments	78
View comments from the CLI	78
Comment limitations for Windows XP clients	79
Change the CIFS server password	79
Display the SMB2 dialect release	80
Verify the effective SMB dialect for the connected clients	81
Display the number and names of open files	81
Delegate join authority	82
Manage file systems	83
Ensure synchronous writes	83
Turn oplocks off	83
Configure file change notification	84
Stop the CIFS service	85
Delete a CIFS server	85
Delete a CIFS server in a Windows Server environment	86
Delete CIFS shares	87
Delete a specific share	87
Delete all shares	87
Manage domain migration	88
Change the user authentication method	89
Check the user authentication method	89
Leveraging Advanced Functionality	91
Enable and manage home directories	92
Create the database	92
Create the home directory file	92
Add home directories to user profiles	92
Disable home directories on the Data Mover	94
Manage group policy objects	94
Display GPO settings	94
Update GPO settings	95
Disable GPO support	96
Disable GPO caching	97
Disable alternate data streams	98
Configure SMB signing	98
Configure SMB signing with the smbsigning parameter	98
Disable SMB signing on a Data Mover	98
Configure SMB signing with GPOs	99
Configure SMB signing with the Windows Registry	99
Manage SMB2 and SMB3 protocols	101
Enable the SMB2 protocol	101
Enable the SMB3 protocol	101
Configure the Continuous Availability functionality on the Data Mover	102
Disable the SMB2 and SMB3 protocols	103
Create a symbolic link to a file with a relative path	103
Change the default symbolic link behavior	104
Enable symbolic links with target paths to parent directories	104
Enable symbolic links with absolute paths	105
Access symbolic links through CIFS clients	106
Configure automatic computer password changes	107
Change time interval for password changes	108
Change the location of the Windows security log	108
Join a CIFS server to a Windows domain—Advanced Procedures	109
Join a CIFS server to a Windows domain for a disjoint namespace and a delegated join	110
Join a CIFS server to a Windows domain for the same namespace and a delegated join	111
Add the user performing the join to the local administrators group	111
Customize file filtering pop-up messages	111
Troubleshooting	115
EMC E-Lab Interoperability Navigator	116
VNX user customized documentation	116
Known problems and limitations	116
Symbolic link limitations	119
Error messages	120
EMC Training and Professional Services	120
GPO conflict resolution	120
LDAP signing and encryption	122
SMB signing resolution	122
DNS issues	123
MS Event Viewer snap-in	124
Additional Home Directory Information	125
Home directory database format	126
Wildcards	127
Regular expressions	127
Parsing order	128
Guest accounts	129
MMC Snap-ins and Programs	131
Data Mover Management snap-in	132
AntiVirus Management	132
Home Directory Management snap-in	132
Data Mover Security Settings snap-in	132

Match case Limit results 1 per page

Kerberos authentication uses a KDC to confirm the identity of a CIFS server that is

attempting to communicate with a domain or trying to access Windows network services.

Every computer, server, or client joined to a domain has a unique password associated

with a computer account in the active directory (AD). A password authenticates the

identity of a CIFS server that attempts to communicate with a domain controller.

After you join a CIFS server to a domain or change the computer account password of a

CIFS server, Kerberos generates a set of encryption and decryption keys that it shares

with the domain controller. When the KDC receives an authentication request from a CIFS

server, it performs authentication by decrypting the preauthentication data sent by the

Data Mover with the decryption keys. If the decryption succeeds and the pre-

authentication data is accurate, the CIFS server is authenticated. After a CIFS server is

authenticated, the KDC generates an initial ticket called the Ticket-granting Ticket (TGT),

as shown in

Figure 2 on page 20

. The TGT is a special ticket that enables the CIFS server

to request services to the KDC.

Figure 2

Kerberos authentication

CIFS server

Domain controller

(KDC)

Presents key for authentication

Verifies CIFS server and provides TGT

CNS-000735

The Microsoft website provides a detailed description of Kerberos authentication.

For domain configurations with multiple domain controllers, computer accounts and

passwords are replicated to all domain controllers during AD replication. Because AD

replication occurs at scheduled intervals, a delay in updating all the domain controllers

with a new password can occur, possibly causing failed authentication attempts. The

Data Mover retains a history of the new and old passwords of each CIFS server. When a

Windows client attempts to open a new session with a Data Mover, the service ticket sent

by the client is decrypted using the decryption key generated from the CIFS server

computer account password. If the decryption fails, another attempt is made by using the

key generated from the previous passwords. When a password is updated twice on the

same domain controller or on different domain controllers without AD replication, the

Data Mover only uses the first password update; it does not recognize the second

password change.

Set maximum number of passwords to retain in Kerberos authentication on page 66

provides procedural information.

Kerberos SPN Mismatch

CIFS allows Windows clients to connect to the Data Movers and mount shares. For

Windows Server domains, Kerberos authentication is used as an authentication

mechanism, although NTLM (pre-Windows 2000) authentication is still available, for

backwards compatibility.

When Kerberos authentication is not used or fails, the use of NTLM authentication

significantly increases the load on the Windows domain controller. In addition, NTLM

authentication is not considered to be as secure as Kerberos authentication.

The Kerberos Workstream feature addresses this. If Kerberos is not configured correctly,

that is, if SPNs do not exist or are out of sync and do not match the DNS hostname

entries, the Kerberos authentication fails and the client may revert to NTLM to connect to

the Data Mover. If this happens, the user has to be notified to diagnose and fix the issue.

Concepts

EMC VNX Series

VNX1, VNX2

Configuring and Managing CIFS on VNX