NS600 Celerra access denied issue with Vista

A little more specific to the exact error code.

"" \\ ns600 name" is not accessible. you might not have permissions to use this network resource. contact administrator of this service to find out if you access permissions.

The account is not authorized from this station."

I have tried this a domain admin account as well.

The vista machines can access other microsoft shares.

from AD when managing the EMC I get,

Event Type: Failure Audit
Event Source: Security
Event Category: (9)
Event ID: 681
Date:  11/18/2009
Time:  4:35:45 PM
User:  NT AUTHORITY\SYSTEM
Computer: "nS600 name"
Description:
The logon to account: Null Session
by: EMC CIFS WITH KERBEROS
from workstation: "xxx.xxx.xxx.xxx

failed. The error code was: CIFS error: INTERNAL AUTH ERROR

did you check the data mover log files ?

you probably need a network trace to figure this one out

one reason could be if the Vista machine is configured to do SMB2 only (and you DART version most probably doesnt do SMB2)

If that's the case then mounting a network share from a XP or Win2k server shouldnt work either

Before doing network traces, lets start fixing the time skew issue.

to manualy set the time on the datamover do a

server_date server_2

this will give you the actual time of the datamover,

server_date server_2 yymmddhhmm

will set the time.

I would like to thank you guys on the response! Thanks.

"did you check the data mover log files ?"

Just did, please forgive I am learning on this thing as I go. There are many errors showing up, the most prevailant ones are:

Error NETLIB 2:  NIS Server xxx.xxx.xxx.xxx(correct IP of one of the DC's) Can't communicate with portmapper.

Info USRMAP Broadcast timeout, No answer received

Error SMB DC_GetBlob (correct domain name)\(correct EMC netbios name)(correct DC name)\HOST=Miscellaneous failure. Clock skew too great

Error SMB dns_DCLookup::process:: Unable to get any DC from DNS for domain (correct domain name)

Error SECURITY ERROR readGroupsTime group.byname=Can't bind to server which serves this domain. ---------------interesting------------

Info SMB GPO update failed for server (correct EMC Netbios name)

SMB KC_ComputeBlob Cannot create context for HOST/(correct DC info)

Error SMB KC_ComputeBlob Service=HOST/(correct DC info)

Error KERBEROS krb5_locate_srv_conf: Could not resolve any KDC from config file

Error KERBEROS krb5_locate_srv_dns: DNS returned no KDC for service _kerberos at realm(correct domain name)

Error LDAP LDAP authentication: GSS initate security context for target: ldap/(Correct DC.domain) - principal: (correct domain) failed - GSS-API major error: Miscellaneous failure

Error LDAP LDAP authentication: Unable to acquire credentials for principal:(correct domain). - GSS-API major error: Miscellaneous failure

Error LDAP LDAP authentication: Unable to acquire credentials for principal: (Correct EMC name @ Correc domain name) - GSS-API minor error: Clock skew too great

Error LDAP LdapClient::connect: error message: Sasl protocol violation, (error code 99)

Error SMB NT_Access_Credential::RequestFromSID:usr=(Domain\user name) primary nt group not mapped, use unix primary

Error SMB Open&Bind(lsarpc):No DC for Srv=(EMC name) (dxxxxxxx)

Error SMB SmbSessionSetupXMsg::buildWithKerberos: KC_ComputeBlob is unable to build blob 853368 -1767828236 (CIFS error: GSS_S_FAILURE)
Error SMB SSXAK=INVALID_PARAMETER origin=101 stat=0,0

Info SMB Unable to connect to Active Directory server (Correct DC Correct Domain)(xxx.xxx.xxx.xxx), port 389

Error SMB Usr='(Correct domain\correct Domain admin)':NLreadGroupNames: Group Policy Creator Owners SID not mapped=S-1-15(bunch of numbers)

Error SMB Usr=(Correct domain\correct Domain admin):NLreadGroupNames: Schema Admins SID not mapped=S-1-5-15-(bunch of numbers)

Error SMB Usr='(correct domain\Other domain controller)$':NLreadGroupNames: Domain Controllers SID not mapped=S-1-5-15-4(same bunch of numbers)

Error SMB W2KgetInitialDC(0): No DC found domain=(correct domain)

on the correct domain\Other domain controller is because I have 2 of them, the rest of the correct dc's are the new one, this error points to the old DC

you probably need a network trace to figure this one out.

How do I do that?

one reason could be if the Vista machine is configured to do SMB2 only (and you DART version most probably doesnt do SMB2)
If that's the case then mounting a network share from a XP or Win2k server shouldnt work either.

Vista systems able to access the Server 2003 and XP shares, just not the EMC. XP and server 2003 are able to access both.

Hope this is understandable, I just copy pasted and edited  the redundant EMC data mover errors. Please help!!! I noticed the time is not syncing, Can I just set the time on the EMC to the same as the DC, for a quick fix until I get the ntp server up?If so whats the command to change the time? (I have alot of red tape here on fixing the time server for reasons beyond my controll.) Another thing that I am seeing above are alot of issues with connecting to the domain controller. I have to admit about 3 months ago we had another DC added to the net work. I have noticed no problems with any of the other systems connecting. lastly on this version of Vista that I have SNMP is disabled do I need this on for the celerra?

times on servers, emc and vista stations with in a minute of each other.

Tried to log into EMC same access denied issue.

what are the server_log messages now?

Did you try a \\IP-Address instead of \\NS600 name?

Which NAS Code Version?

what are the server_log messages now?

Logs look as follows. From EMC

Time Severity Facility Description
11/20/2009 10:09 Error NETLIB 2:  NIS Server xxx.xxx.xxx.xxxCan't communicate with portmapper
11/20/2009 10:09 Error SMB NT_Access_Credential::RequestFromSID:usr=Domain\Domain Admin primary nt group not mapped, use unix primary
11/20/2009 10:09 Error SECURITY ERROR readGroupsTime group.byname=Can't bind to server which serves this domain
11/20/2009 10:07 Error NETLIB 2:  NIS Server xxx.xxx.xxx.xxx Can't communicate with portmapper
11/20/2009 10:07 Error SECURITY ERROR readGroupsTime group.byname=Can't bind to server which serves this domain
11/20/2009 9:46 Info ADMIN Command succeeded:  usrmapsvc export erase
11/20/2009 9:46 Info ADMIN Command succeeded:  usrmapsvc export
11/20/2009 9:46 Info ADMIN Command succeeded:  usrmapsvc export erase
11/20/2009 9:46 Info ADMIN Command succeeded:  usrmapsvc export
11/20/2009 9:46 Error SMB NT_Access_Credential::RequestFromSID:usr=Domain\Domain Admin primary nt group not mapped, use unix primary
11/20/2009 9:46 Error NETLIB 2:  NIS Server xxx.xxx.xxx.xxx Can't communicate with portmapper
11/20/2009 9:46 Error SECURITY ERROR readGroupsTime group.byname=Can't bind to server which serves this domain
11/20/2009 9:46 Error SMB last message repeated 1 times
11/20/2009 9:45 Error SMB NT_Access_Credential::RequestFromSID:usr=domain\domain admin primary nt group not mapped, use unix primary
11/20/2009 9:45 Error NETLIB 2:  NIS Server xxx.xxx.xxx.xxx Can't communicate with portmapper
11/20/2009 9:45 Error SECURITY ERROR readGroupsTime group.byname=Can't bind to server which serves this domain
11/20/2009 9:43 Error SMB NT_Access_Credential::RequestFromSID:usr=domain\XPworkstation primary nt group not mapped, use unix primary
11/20/2009 9:42 Info KERNEL Time set

EMC logs in Actice directory. There is a POSATIVE difference. there are not longer failures here!!!

Event Type: Success Audit
Event Source: Security
Event Category: (2)
Event ID: 540
Date:  11/20/2009
Time:  9:46:15 AM
User:  Domain\Domain Admin
Computer: EMC NAS NETBIOS NAME
Description:
Successful Network Logon:
  User Name: Domain Admin
  Domain:  Domain
  Logon ID:  0xbb5ee004 - Vista system
  Logon Type: 3
  Logon Process: Success
  Authentication Package: EMC CIFS WITH KERBEROS
  Workstation Name: XXX.XXX.XXX.XXX
  Logon GUID: %8
  Caller User Name: %9
  Caller Domain: %10
  Caller Logon ID: %11
  Caller Process ID: %12
  Transited Services: %13
  Source Network Address: %14
  Source Port: %15

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
===========

Event Type: Success Audit
Event Source: Security
Event Category: (2)
Event ID: 540
Date:  11/20/2009
Time:  10:07:48 AM
User:  Domain\Domain Admin
Computer: EMC NAS NETBIOS NAME
Description:
Successful Network Logon:
  User Name: Domain Admin
  Domain:  Domain
  Logon ID:  0xbb5cd404 - Vista system
  Logon Type: 3
  Logon Process: CIFS
  Authentication Package: EMC NTLMSSP
  Workstation Name: Vista system
  Logon GUID: %8
  Caller User Name: %9
  Caller Domain: %10
  Caller Logon ID: %11
  Caller Process ID: %12
  Transited Services: %13
  Source Network Address: %14
  Source Port: %15

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
================================================
Event Type: Success Audit
Event Source: Security
Event Category: (2)
Event ID: 540
Date:  11/20/2009
Time:  10:07:48 AM
User:  Domain\Domain Admin
Computer: EMC NAS NETBIOS NAME
Description:
Successful Network Logon:
  User Name: Domain Admin
  Domain:  Domain
  Logon ID:  0xbb618204 - Vista system
  Logon Type: 3
  Logon Process: CIFS
  Authentication Package: EMC NTLMSSP
  Workstation Name: Vista System
  Logon GUID: %8
  Caller User Name: %9
  Caller Domain: %10
  Caller Logon ID: %11
  Caller Process ID: %12
  Transited Services: %13
  Source Network Address: %14
  Source Port: %15

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
=============================================

Event Type: Success Audit
Event Source: Security
Event Category: (2)
Event ID: 540
Date:  11/20/2009
Time:  10:09:51 AM
User:  Domain\Domain Admin
Computer: EMC NAS NETBIOS NAME
Description:
Successful Network Logon:
  User Name: Domain Admin
  Domain:  Domain
  Logon ID:  0xbb1ace04 - Vista system
  Logon Type: 3
  Logon Process: CIFS
  Authentication Package: EMC NTLMSSP
  Workstation Name: Vista System
  Logon GUID: %8
  Caller User Name: %9
  Caller Domain: %10
  Caller Logon ID: %11
  Caller Process ID: %12
  Transited Services: %13
  Source Network Address: %14
  Source Port: %15

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Did you try a \\IP-Address instead of \\NS600 name?

When attempting to connect to the NS600 through the IP I get Access denied errors that pop up.

Which NAS Code Version?

5.5

bleepingnetwork schrieb: Which NAS Code Version? 5.5

I think Peter wanted to know the specific version like 5.5.37 to see how ould your DART code is

I would suggest to open a service request

I opened one the day before yesterday morning but not have heard back as of yet.

How do I check the specific Version? In the web interface all I see is v 5.5 on the upper right hand corner.

EMC Celerra File Server Version: T5.5.32.4

Are you using a windows username, which was already succesfull mapping a share from the NS600 using another client?

Yes windows user names, and when prompted I have tried both windows user names and even the nasadmin account. both with the "access denied, The account is not authorized from this station.

You should fix your NIS - Usermapper Issues.

I can't agree with you more. Where do we start?

thanks for your time on this by the way.

server_version ALL will give you the version

You should fix your NIS - Usermapper Issues.

Are you using a windows username, which was already succesfull mapping a share from the NS600 using another client?

Well I have isolated the issue to this custom Vista Image in which I am being forced to use from the powers that be. I tried a system with a stock vista image and it works fine when connecting to the EMC. Unfortunatly I cannot use the stock image for production. So this brings me back to the initial question. Which Services and Protocols are required to connect to the EMC. SMB was mentioned already, what else would I need? I will go ahead and bug the people who made this dang thing again to see just what they changed and if I am allowed to correct it. I will let you all know the out come.

11/20/2009 10:09 Error NETLIB 2:  NIS Server xxx.xxx.xxx.xxxCan't communicate with portmapper 11/20/2009 10:09 Error SMB NT_Access_Credential::RequestFromSID:usr=Domain\Domain Admin primary nt group not mapped, use unix primary 11/20/2009 10:09 Error SECURITY ERROR readGroupsTime group.byname=Can't bind to server which serves this domain 11/20/2009 10:07 Error NETLIB 2:  NIS Server xxx.xxx.xxx.xxx Can't communicate with portmapper 11/20/2009 10:07 Error SECURITY ERROR readGroupsTime group.byname=Can't bind to server which serves this domain

I am speaking about the above errors.

Maybe there is a no NIS server configured for the domain, the user is using, take a look at

server_nis server_2 output

bleepingnetwork schrieb: EMC Celerra File Server Version: T5.5.32.4

you realize that is from January 2007 - almost 3 years old by now ?

Unless you havent changed your AD or clients (like installed hot fixes or service packs) since that I would advise to upgrade to a current DART revision like 5.5.40 or 5.6.46