PowerScale: NTLM authentication is disabled when cluster is running in FIPS-compliant mode, after OneFS 9.5

Summary: From OneFS 9.5 onwards, NTLM authentication is disabled when the cluster is operating in FIPS-compliant (Hardening) mode.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

In compliance with stricter FIPS requirements, enabling Hardening on a PowerScale cluster running OneFS 9.5 or later will result in the disabling of NTLM authentication. This feature cannot be re-enabled, as non-NTLM authentication is a requirement for FIPS compliance in versions 9.5 and later. Consequently, only Kerberos (KRB) authentication will be available. This change primarily affects SMB clients but may impact any clients using NTLM authentication. If clients are not configured for Kerberos authentication prior to enabling Hardening, they will experience Data Unavailability (DU) as they will be unable to authenticate to the cluster using NTLM.

Cause

From version 9.5 onwards, the cluster will no longer advertise gss-ntlm as an authentication method if Hardening is enabled. This change is intentional and is due to the stricter security requirements for FIPS. The cluster will only advertise gss-krb5 as the available authentication method.

Resolution

It is crucial to ensure that all clients, especially SMB clients, are using Kerberos as their authentication method before enabling Hardening on any cluster running OneFS 9.5 or newer.

For SMB clients, you can check if any currently connected clients are using NTLM by running the following command:
isi_for_array -sX 'isi smb sessions list'

If any currently connected clients are listed in the format of domain\username, they are using NTLM authentication.

MyCluster-6: Lnn  Computer     User
MyCluster-6: --------------------------------------
MyCluster-6: 6    10.60.34.202 MYDOMAIN\Administrator
MyCluster-6: --------------------------------------
MyCluster-6: Total: 1

 

If any currently connected clients are listed in the format of username@domain.com, they are using Kerberos (KRB) authentication.

MyCluster-6: Lnn  Computer     User
MyCluster-6: ------------------------------------------
MyCluster-6: 6    10.60.34.202 Administrator@MYDOMAIN.COM
MyCluster-6: ------------------------------------------
MyCluster-6: Total: 1

 

For more information regarding Kerberos (KRB) authentication for SMB clients, please refer to this resource

Affected Products

Isilon, PowerScale
Article Properties
Article Number: 000274777
Article Type: Solution
Last Modified: 14 Feb 2025
Version:  2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.