Unsolved
1 Rookie
•
18 Posts
0
1135
May 24th, 2021 10:00
VNX CNAME / ALIASES
Hi,
We have a VNX SAN providing CIFS Shares to Windows clients. It is domain "joined".
Historically we have had a DNS name different to the hostname:
Hostname: abc-123-01x
DNS name: abc-123-01
Drive maps: \\abc-123-01\share1 for example.
Don't ask why, I inherited it. This has been working fine for many years. Now, it just completely stopped working and users are getting prompted for credentials. If they access the shares using the hostname value it works fine.
I've done a bit of looking:
server_cifs ALL -setspn -list
shows only values for the hostname - nothing for the DNS name. I read the docs to say that if using a CNAME you NEED to add relevant SPNs, and if I'm reading that right, no idea how this was ever working
I'm struggling to find what has caused this to stop working in the first place. Clearly AD authentication is still working otherwise hostname access would be failing as well. I'm currently thinking it's a "Kerberos SPN Mismatch" problem, but again if so no idea why all of a sudden. Nothing has changed in the config.
Any suggestions for next actions?
Thanks very much.
DELL-Josh Cr
Moderator
•
9.3K Posts
0
May 24th, 2021 17:00
Hi,
Did anything else change on the client or storage side? Are you able to change the names to match?
ldoodle
1 Rookie
•
18 Posts
0
May 25th, 2021 04:00
Thanks for the quick reply.
I am not aware that anything else has changed on the client or storage side - highly unlikely as it went AWOL at around midnight on Sunday!
Digging a bit deeper with server_checkup -test CIFS shows over 80 million errors relating to SPN mismatch issues!
Also the domain controller test is failing.
DELL-Sam L
Moderator
•
7.6K Posts
0
May 25th, 2021 08:00
Hello ldoodle,
Here are a few links to some kb’s that may be of assistance.
https://dell.to/2RIuM5i
https://dell.to/2RIuM5i
https://dell.to/2RCaNFH
https://dell.to/3bVnxhg
DELL-Josh Cr
Moderator
•
9.3K Posts
0
May 25th, 2021 10:00
Can you login with an account with those products registered? https://dell.to/3uhQF8R
ldoodle
1 Rookie
•
18 Posts
0
May 25th, 2021 10:00
"This article is permission based. Find another article." for all 4 of them?
ldoodle
1 Rookie
•
18 Posts
0
May 26th, 2021 04:00
Hi,
An update: A domain controller was recently patched to May 2021 (previously Jan 2021) and it turns out the changes in Netlogon since Feb 2021 patch has cause this issue.
If we override the Netlogon changes with the group policy it now all works again.
However, what isn't clear still is why the VNX hostname access was still working, and only the DNS name access was broken. If the VNX was being rejected from authentication by the Domain Controllers, wouldn't this have affected all authentication and not just when using the DNS name.
I'm aware of Kerberos and "NTLM double hop issues" so perhaps it's this. But considering the DNS name has been in use for many many years, and without the matching SPNs created on the VNX, essentially the setup now with Secure Netlogon enforced, but overridden for the VNXs in AD, is the same state they've been in for years; i.e. Insecure Netlogon with no override because it wasn't needed and no SPNs for the DNS name.
Thanks
DELL-Sam L
Moderator
•
7.6K Posts
0
May 26th, 2021 08:00
Hello ldoodle,
With you patching your systems earlier in the year has changed somethings. What is your current OE that is running on your VNX system? The reason that I ask is that there might be some updates that need to be applied to your VNX system as well.
ldoodle
1 Rookie
•
18 Posts
0
May 26th, 2021 10:00
Thanks - yes it seems that the patching has caused this. This is the Dell article: Dell EMC Unity: NAS Servers displays error "DC cannot open NETLOGON pipe" (User Correctable) and Microsoft article: https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e#theGroupPolicy
However as I say in the OP, we are not currently sure why this only affected shares using the DNS name and not shares using the VNX host name - we have no SPNs configured on the VNX for the DNS name
Share using DNS name: \\storage1\share1 = prompted for credentials
Share using VNX hostname: \\vnxstor1\share1 = works ok