PowerScale: SMB authentication using LDAP requires NTLM in OneFS 6.5 and later

Summary: Server Message Block authentication using LDAP requires NTLM in OneFS 6.5 and later.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Issue

SMB users who authenticate using Lightweight Directory Access Protocol (LDAP) can no longer use plaintext passwords. If you use LDAP for SMB authentication in OneFS 6.5 and later, you must use NT LAN Manager (NTLM).

Cause

Cause

The SMB protocol does not support LDAP authentication unless NTLM hashes are enabled (see Solution below). Most LDAP schema, including RFC 2307 the most common LDAP schema, lack support for NTLM hashes and cannot be used for LDAP authentication.

In OneFS versions earlier than 6.5, users did not need to use NTLM if they used plaintext passwords. Plaintext passwords allowed authentication against local sources because the server could encrypt the password and compare the result to the stored encrypted password. However, the use of plaintext passwords for authentication has been disabled in OneFS 6.5 and later because plaintext passwords are not secure.

This article applies to both Microsoft ® Windows ® and non-Windows users. SMB is most commonly implemented on Windows. The following section provides information specific to Windows.

How Microsoft Windows handles authentication:

Passwords are not sent over the wire in any recognizable form. Windows clients no longer send plaintext passwords by default. Unless Windows registry changes are made, Windows clients authenticate using one of two methods:

  • Active Directory (AD) (Kerberos 5 and LDAP) If the client is joined to an AD domain and the share name uses a domain-style path (for example, \server.domain.com\share).
  • NTLMThis hyperlink is taking you to a website outside of Dell Technologies. (v1 or v2) If the client is not part of the domain, or the path uses a shortname/IP address (for example, \10.0.3.144\share).

Resolution

Solution

To use LDAP for SMB authentication, you must first ensure that your LDAP schema supports NTLM hashes. Once this is done, you may configure OneFS to use the proper ntPasswdHash attribute.

OneFS 7.0 and later

  1. Confirm that your LDAP schema supports NTLM hashes. If it does not, modify your LDAP setting                                                                                                                                  NOTE:The recommended LDAP solution is ldapsam, because it supports NTLM hashes "out of the box." For information about how to set up ldapsam, see http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2593073.This hyperlink is taking you to a website outside of Dell Technologies.

  2. From the OneFS web administration interface, click Cluster Management > Access Management  > LDAP > <your LDAP server>.

  3. Click View details, then click Advanced LDAP settings

  4. In the Windows Password Attribute field, click Edit and verify that the value is set to: sambaNTPassword.

  5. Click Submit


OneFS 6.5 and earlier

  1. Confirm that your LDAP schema supports NTLM hashes. If it does not, modify your LDAP settings.
    NOTE
    The recommended LDAP solution is ldapsam, because it supports NTLM hashes "out of the box." For information about how to set up ldapsam, see http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2593073.This hyperlink is taking you to a website outside of Dell Technologies.

  2. From the OneFS web administration interface, click File Sharing > Authentication Source > LDAP.

  3. If you are using ldapsam:

    1. In the LDAP Provider Settings section, from the Attribute map list, click ldapsam to populate the ntPasswdHash and user filter fields described in the next steps.

    2. In the LDAP Provider Settings section, click the Show advanced settings link.

    3. Select the ntPasswdHash attribute check box and verify that the value is set to: sambaNTPassword.

    4. Select the user filter check box and verify that the value is set to: (objectClass=sambaSamAccount).

    5. Click Submit.

  4. If you are not using ldapsam:

    1. In the LDAP Provider Settings section, click the Show advanced settings link.

    2. Select the ntPasswdHash attribute check box.

    3. Set the ntPasswdHash attribute to the attribute in your LDAP schema that contains the NTLM hashes for the user.

    4. Click Submit.

 

Additional information

For a brief description of authentication in the SMB protocol, see the Microsoft SMB Protocol AuthenticationThis hyperlink is taking you to a website outside of Dell Technologies. page.

For information about NTLM, see the Microsoft NTLM pageThis hyperlink is taking you to a website outside of Dell Technologies.

Affected Products

Isilon

Products

Isilon
Article Properties
Article Number: 000059264
Article Type: Solution
Last Modified: 06 Sept 2024
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.