foreword
I have sorted out the reasons for the abnormality of CIFS shared access before:
https://blog.csdn.net/sjj222sjj/article/details/121620403?spm=1001.2014.3001.5501
On the basis of the original, add a special case. Today, another user happened to have this problem. Just sort it out.
Problem:
After the domain control server is upgraded to Windows Server 2016, NetApp's CIFS cannot be accessed normally
Cause Analysis
After the problem occurred, the conventional method of troubleshooting failed to solve the problem. Finally, it was noticed that the SMB protocol at both ends of the NetApp SVM and AD must be consistent. Only when NetApp can normally use AD to pull permissions to provide CIFS services. The SMB1 protocol is disabled by default in the version
Approach
Since it is necessary to keep the SMB protocol at both ends of the NetApp SVM and AD consistent, the corresponding Workround starts from these two sides
Close SMB1 of SVM in NetApp
Enter privileged mode and close SMB1 directly in cifs option
cluster1::> set -privilege advanced
cluster1::*> vserver cifs options modify -vserver vs1.example.com -smb1-enabled false
There are two other points to note:
- Versions prior to ONTAP 9.1 P8 do not have the SMB1 configuration option. If you must configure it, you need to upgrade to ONTAP
- SMB1 is enabled by default in versions before 9.3, and SMB1 is disabled by default starting from ONTAP 9.3
Enable SMB1 on the Domain Control Server
In Windows Server, you can add functions in the UI or add and enable
the direct installation function of the SMB1 interface through PowerShell:
detect and enable in PS
检测:
Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {
Get-ItemProperty $_.pspath}
禁用:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
启用:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
Note: After opening, you need to restart the server. For details, refer to the official KB
https://learn.microsoft.com/zh-cn/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server#%E6%A6%82%E8%A7%88
postscript
Of course, SMB1 is a very insecure protocol with a large number of known vulnerabilities and risks. The final solution must be to evaluate the clients that are still using this protocol and upgrade to SMB2 and above protocols as soon as possible.