Unsolved
This post is more than 5 years old
5 Posts
0
2866
VNX 5400 SMB Signing
Windows environment, 2008 domain and functional level. VNX used for block level (VMware) and file level (CIFs). All VNX CIFs servers are joined the domain.
We got a request from the IT audit team to enable SMB signing on all CIFs servers.
After some research, we found that we have to create AD GPO "Force SMB Signing" -> Microsoft network SERVER: Digitally sign communications (always) – Enabled.
I have created a new CIF server for test, joined it to the domain, and assign "Force SMB Signing" GPO to it, but nothing changed!
I have checked the registry for the test CIF server and it's didn't change (LanmanServer-> Parameters -> RequireSecuritySignature is still 0). When testing the connection from windows client machine to the test CIF it's still use un-encrypted connection, I got that by running PowerShell Get-SMBConnection and look to the "Encrypted" property (has False value).
I have waited for enough time (12 hrs) to make sure the GPO get applied but it didn't.
Question 1: How can I force a VNX CIF server to update group policies? something like gpupdate /force from Windows machines.
In another thread a guy said: Does your EMC file server support Group Policy? If so, does it support this policy?
I have looked over that but couldn't find the right information.
Question 2: How can I check if my EMC file server support Group Policy, specifically Digitally Sign Communications?
Then I changed the registry myself by connecting the regedit from my windows client to the CIF server and update the value of LanmanServer-> Parameters -> RequireSecuritySignature from 0 to 1
Still the same, un-encrypted connection.
I think that I may need to restart the CIF server to take the changes.
Question 3: How to restart the test CIF server itself without effecting other CIFs servers on the VNX? can I do that? I only found that I can enable/disable SMB protocol.
I am not familiar with EMC CLI, when I need to check any I use the GUI, I have tried to SSH using putty to the VNX using the same credential for the GUI I got access denied!
Question 4: to run VNX commands, do I have to have anything special or just SSH to VNX should be fine? and are the GUI users different than CLI users?
Thanks in advance and much appreciated.
AlanZ1
790 Posts
0
February 28th, 2017 06:00
Moved to the VNX community
Rainer_EMC
8.6K Posts
1
February 28th, 2017 07:00
just ssh into the control station and use the nasadmin user
detailed explanation and commands are in the Configuring and Managing CIFS on VNX Manual which is available from support.emc.com
that includes CLI commands to view and update GPO's that arent available on the GUI
wafi1
5 Posts
0
February 28th, 2017 10:00
Thanks @rainer_emc that was helpfull.
Do you have a handy command to list active SMB connections from within the ssh session?
umichklewis
1.2K Posts
1
February 28th, 2017 14:00
server_cifs -o audit will provide a lot of detail for each connection. For example:
[nasadmin@testvnx2cs0 ~]$ server_cifs server_2 -o audit|more
server_2 :
|||| AUDIT Ctx=0x011c5d0808, ref=2, W2K3 Client(10.22.2.76) Port=2708/445
||| CTXDATA[LOCALZ] on if=cifs_ctxdata_access_vlan8
||| CurrentDC 0x019a4d7008=LOCALDC1
||| Proto=NT1, Arch=Win2K, RemBufsz=0xffff, LocBufsz=0xffff, popupMsg=1
||| 0 FNN in FNNlist NbUsr=1 NbCnx=1
||| Uid=0x40 NTcred(0x01b2371808 RC=2 KERBEROS Capa=0x2) 'LOCALZ\shelm'
|| Cnxp(0x01569fa408), Name=Appdata, cUid=0x40 Tid=0x40, Ref=1, Aborted=0
| readOnly=0, umask=22, opened files/dirs=0
| Absolute path of the share=\ctxdata2\Appdata
|||| AUDIT Ctx=0x010bf7cc08, ref=2, W2K8 Client(10.22.0.24) Port=59851/445
||| CTXDATA2[LOCALZ] on if=cifs_ctxdata2_access_vlan8
||| CurrentDC 0x0137fcec08=LOCALDC1
||| Proto=SMB2.10, Arch=Win2K, RemBufsz=0xffff, LocBufsz=0xffff, popupMsg=1
||| Client GUID=8f99b287-d40c-11e6-80c5-b499ba03cce6
||| SMB2 credits: Granted=127, Max=500
||| 0 FNN in FNNlist NbUsr=1 NbCnx=1
||| Uid=0x1 NTcred(0x0129e56008 RC=2 KERBEROS Capa=0x2) 'LOCALZ\millrbr'
|| Cnxp(0x0074fcb408), Name=testdata, cUid=0x1 Tid=0x1, Ref=1, Aborted=0
| readOnly=0, umask=22, opened files/dirs=0
| Absolute path of the share=\testdata
Note in the output above, you see an older connection and an SMB2 connection, indicated by the protocol used.
Let us know if that helps!
Karl
wafi1
5 Posts
0
March 1st, 2017 04:00
Thanks Karl,
Whenever I am running any audit command I got:
total SMB_streamCtx: 0
umichklewis
1.2K Posts
1
March 1st, 2017 07:00
You want to run the server_cifs command on the primary control station. Normally, running it against server_2 is sufficient, but if you have VDMs, I think you need to run it against each VDM.
Let us know if that helps!
Karl
wafi1
5 Posts
0
March 1st, 2017 07:00
Thanks again Karl,
Running the command against the VDM worked fine.
wafi1
5 Posts
0
March 1st, 2017 08:00
BTW, I am trying to run the command to update group policy from the ssh but it didn't work:
$ server_security server_2 -update -policy gpo domain=xxxxxxx.local
Error 4020: server_2 : failed to complete command
Any advise?
Rainer_EMC
8.6K Posts
0
March 2nd, 2017 06:00
look at the data mover log via server_log for error details