Symptoms
The customer recently upgraded to 2016 domain controllers.
A GPO is set to require all computers to change the machine account password every 60 days.
The following GPO has been set. "Configure encryption types allowed for Kerberos"
After applying the GPO the CIFS server works fine, but fails to change it own password every 60 days.
the param cifs srvpwd.updtMinutes has been set to change the machine account password every 59 days.
When the CIFS server goes to change it's password it fails and the CIFS server is no longer functional
When the machine account tries to change it's password the following errors are posted in the c4_safe_ktrace.log file. "Kerberos gssError is 'Miscellaneous failure. KDC has no support for encryption type. '. Error message is 0,-1765328370"
Cause
When limiting the Kerberos encryption type to AES and a password reset happens over the netlogon secure channel, CIFS servers might fail to negotiate the machine password with Unity.
Resolution
FIX:
The fix is in the Unity OE 5.1 and newer code.
WORKAROUND:
The following param can be set to make the CIFS server use netlogon intead of kpasswd to set the password.
svc_nas ALL -param -f cifs -m srvpwd.NLupdate -v 0
A reboot of the SP is required.
The VNX also has a param that can be used as a workaround.
server_param server_2 -f cifs -m srvpwd.NLupdate -v 0
[nasadmin@SwedishFish ~]$ server_param server_2 -f cifs -info srvpwd.NLupdate
server_2 :
name = srvpwd.NLupdate
facility_name = cifs
default_value = 1
current_value = 0
configured_value =
user_action = reboot DataMover
change_effective = reboot DataMover
range = (0,1)
description = NA
After setting the param you may need to Unjoin/join the CIFS server one more time.
For VNX systems you will also need to apply the following param.
server_param server_x -f security -m aesSupport -v 1
server_param server_x -f security -m kerbTcpProtocol -v 1