Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

jlear85

3 Posts

2057

May 20th, 2016 09:00

Isilon is not authenticating OSX Users at Remote Site

Hello All,

This past weekend something happened and users who had their PC's off over the weekend could no longer access our shared drive off it. However, all users who had their PC's on, myself included, were fine. No errors in Isilon, no errors in AD, no network troubles, nothing. We have nothing to go on with what happened or why.

Our Isilon authenticates via AD. And for those PC's that were off and no longer able to access the shared drive, you would put in any AD credentials that you know should work, and you would get the error of "Wrong network password." It didn't specifically say "wrong username or password" as it would normally, it said "Wrong network password." To add to this, no AD accounts would work, however, the local accounts we have setup did. To troubleshoot, we unjoined and rejoined from the domain, that did nothing. Then my supervisor had the idea of removing the admin account and putting in another one. Doing that fixed the issue (for the majority), and all of us using Windows have not had a problem since.

The remaining problem here is all the OSX users at our remote site can only sporadically access the network share with their AD credentials; sometimes it works and sometimes it doesn't (but as before, the local credentials work). We have a direct site to site connection, and they are able to ping and hit Isilon, so the connectivity is there. I intentionally tried with the wrong password multiple times to test authentication and the user account I was trying with never locked out; which should have happened with AD authentication.

Anybody have any ideas on what may have happened and/or what we can do to fix the situation with our OSX users?

addisdaddy20

65 Posts

May 20th, 2016 12:00

Hello jlear,

first things first, I would highly recommend a service request to track and troubleshoot this issue to its resolution. secondly do you see any difference when you go to the network share by IP address vs smartconnect zone name?

If you are able to authenticate by IP and not by name it sounds very familiar to the following ETA

https://support.emc.com/kb/301877

SMB/SMB2/SMB3 clients may experience login failures when authenticating through Microsoft AD and the NT LAN Manager Security Support Provider (NTLMSSP). As a result, data residing on EMC Isilon clusters is unavailable to SMB/SMB2/SMB3 clients, causing DU failures.

Authentication failures may also affect clients attempting to access data through HTTP-based protocols, such as RAN.

For additional details, see Microsoft Knowledge Base Article 3002657 and Microsoft Knowledge Base Article 3068457.

it is also worth note that if you have more than one domain controllers (like most companies do) it is possible only one or two of them have these patches installed so you may need this last kb to verify if these patches are installed on ANY domain controller.

https://support.emc.com/kb/470664

Again this is all speculative based on the problem description and I would expect all SMB clients not just OSX ones to get this behavior, that being said again I would open a service request to address this as we take Data Unavailability pretty seriously.

Regards,

D_Tracy

jlear85

3 Posts

May 23rd, 2016 09:00

For anyone who is curious, this was the correct answer. That one hotfix was applied to our backup DC which is used in AD authentication for Isilon. Once that was uninstalled, we still had to change the way they put in their information, but it now works.

addisdaddy20

65 Posts

May 23rd, 2016 16:00

probably a good thing to know also that you can upgrade OneFS to resolve this as it is a security update to the Microsoft environment that causes this and most likely desired to have it installed at some point, so from the ETA that is listed above

This issue is resolved in OneFS 7.1.1.4 and 7.2.0.2.

If you cannot upgrade to OneFS 7.1.1.4 or 7.2.0.2, and if SMB users and services in your environment use NTLM to authenticate to the EMC Isilon cluster and Microsoft security update 30002657 or 30002657-v2 is installed on your AD server, apply the appropriate OneFS patch as indicated in the table below.

OneFS branch

Patch-

Notes

7.2.0.1

Patch-147684

This patch deprecates patch-145051. If patch-145051 is installed on your cluster, you must remove it before installing this patch.

7.1.1.2

Patch-146974

This patch deprecates the previous SMB rollup patches for this branch of OneFS, patch-145050 and patch-140284. If either of these patches is installed on your cluster, you must remove it before installing this patch.

7.1.0.5 - 7.1.0.6

Patch-147686

If you are using OneFS 7.1.0.0, see ETA 173901: Isilon OneFS 7.1.0.0: SMB2 clients cannot connect to the cluster using Kerberos authentication.

This patch deprecates the previous SMB rollup patches for this branch of OneFS, patch-145049, patch-145919, and patch-140283. If any of these patches is installed on your cluster, you must remove it before installing this patch.

7.0.2.12 - 7.0.2.13

Patch-147689

This patch deprecates the previous SMB rollup patches for this branch of OneFS, patch-145047 and patch-137294. If either of these patches is installed on your cluster, you must remove it before installing this patch.

6.5.5.29 - 6.5.5.30

Patch-147691

 This patch deprecates patch-145046. If patch-145046 is installed on your cluster, you must remove it before installing this patch.

Glad to hear this resolved your issue!

Was this post helpful?

View All

0 events found

No Events found!

Top