VNX: VNXe, Dell Unity Users from trusted domain are logged in as guest account or denied access to CIFS servers

When attempting to log in to a domain joined CIFS server from a trusted domain the user is either logged in as local guest or denied access depending on how the environment is configured.

By default the VNXe, VNX, and Unity systems do not accept authentication requests from domains that are not in our trusted domain list that we pull from the domain controller. Instead of attempting to authenticate the user we deny the request immediately without sending the request to the DC. Some settings allow guest logins and the user is logged in as guest, other settings deny the login attempt entirely.

There is a hidden parameter that support can adjust to allow authentication from domains outside of our trusted domain list.

It can be checked wither the user is logging in as guest with the "server_cifs -audit" command.

On VNX/VNX2 run the following command:

server_cifs <DM_or_VDM_name> -o audit

On VNXe/Unity run the following command:

svc_cifssupport <DM_or_VDM_name> -audit

Those commands can be run alone, but it is going to be hard to find the info you want for a specific client due to it dumping the list of sessions for all connected clients on that VDM or physical data mover.

It is easier to read the output if you pipe it to less or grep. You should see something similar to the following if a domain user from a trusted domain is actually being logged in as local guest:

||| SMB2 session Id=0x5a060dd600001b35, 1 channel(s)
||| Uid=0x1b35 NTcred(0x0008aba528 RC=8 NTLMSSP Capa=0x10921) 'Nasserver\guest'
|||| AUDIT Ctx=0x0123ffae748, ref=2,  Client(WINHOST) Port=49507/445
||| NASSERVER[DOMAIN] on if=5_APM0152832907
||| CurrentDC 0x000265d0e8=DC01
||| Proto=SMB2.10, OS 6.1 Build 7601, MaxReadWriteSz=0x100000, MaxTransactSz=0x100000, popupMsg=1
||| SrvCapa=0x7, CltCapa=0x0, SrvSecMode=0x1, CltSecMode=0x1
||| Client GUID=ddc8213d-c727-11e7-95aa-0872a92709
||| SMB2 credits: Granted=31, Max=512
||| 0 FNN in FNNlist NbUsr=1 NbCnx=1
|| Cnxp(0x00afd77eb8), Name=share, cUid=0x12235 Tid=0x2, Ref=1, Aborted=0
| readOnly=0, umask=22, opened files/dirs=1
| types=Global - - - - - CA - -
| Absolute path of the share=\Data\share

The easiest way to get the information would be to grep out the hostname or IP address and put a B1 flag before it or pipe it to less and use "/" to find the appropriate hostname or IP address.

Example:

server_cifs  VDM01 -o audit |grep -B1 -i  WINHOST
||| Uid=0x1b35 NTcred(0x099237ab28 RC=8 NTLMSSP Capa=0x10921) 'Nasserver\guest'  <--- Logged in as local guest
|||| AUDIT Ctx=0x0123ffae748, ref=2,  Client(WINHOST) Port=49507/445

Next check to see if there is a trusted domain in the domain list. VNXe/Dell Unity has a command to accomplish this, but VNX only has an engineering level command to view this information. If you must check the trusted domain list on a VNX, contact support and reference this KB article.

On VNXe/Unity:

root@spa:/cores/service>svc_cifssupport Mon-Nas-server -pdcdump

Mon-Nas-server : commands processed: 1
command(s) succeeded
output is complete

1511808222: SMB: 6: Dump DC for dom='DOMAIN' OrdNum=0
1511808222: SMB: 6: Domain=DOMAIN Next trusted domains update in 574 seconds
1511808222: SMB: 6:  oldestDC:DomCnt=0,2 Time=Mon Nov 27 13:26:54 2017

1511808222: SMB: 6:  Trusted domain info from DC='PEEPS-DC' (325 seconds ago)
1510346666: SMB: 6:   Trusted domain:domain.trusted.com [TRUST]                      <---- Shows trusted domain information
   GUID:fd42399-646d-23a-befc-2c7234b1dbd
1510346666: SMB: 6:    Flags=0x27 Ix=0 Type=0x2 Attr=0x20
1510346666: SMB: 6:    SID=S-1-5-15-222345affa-23454016-7332128
1510346666: SMB: 6:    DC=' '
1510346666: SMB: 6:    Status Flags=0x30 DCStatus=0x0,0

>DC=DC0x0007cc3a98 DC01[DOMAIN](5.6.7.250) ref=4 time(dns)=1 ms LastUpdt=Mon Nov 27 18:42:02 2017
    KrbAccount=NASSERVER$@DOMAIN.COM Status=OK
     AccCred=0x7f9edc48bc98,0x0007d1a988 Buf=0x7f9ef10e7018 L=2677 Flags=0x7
    Pid=0000 Tid=0001 Uid=4004000007d SMB=0x210
    Cnx=SUCCESS,DC request succeeded
    logon=SecureChannelOK 1 SecureChannel(s):
     [NASSERVER] Fid=0x30000001c9 CallID=0x5 Status=SUCCESS/SecureChannelOK
    Capa=0x0 MxBufSz=0xffff MawRwSz=0xffff Nego=0x0000000000,L=0 Chal=0x0000000000,L=0,W2kFlags=0x33fd
    refCount=4 newElectedDC=0x0000000000 forceInvalid=0
    Discovered from: DNS
1511808222: ADMIN: 6: Command succeeded:  pdc dump

If the trusted domain does not show up in the list, most likely the domain controller is not sending us this trust when we send the DsrEnumerateDomainTrusts request to it. This may be able to be corrected on the DC by modifying the trust. Ensure that the trust is set up properly before moving to the solution on the storage end.

VNX/VNXe/Unity side solution:
If the trust is set up the way that it should be for your environment, there is a solution on the storage end to change our default behavior. There is a hidden parameter that can be set to modify how we handle authentication requests from domains that we do not have in our trust list (by default we deny the login attempt without even sending it to the DC if we have no trust in the list for the domain the client is attempting to log in with.)

If this parameter is changed, we no longer deny login attempts without querying the DC if the domain is not present in our trust list. Instead we send the authentication request to the active DC in the CIFS server's local domain as and NTLM authentication attempt and the DC calls whether or not to authenticate the user. If the parameter is changed it may increase traffic to the DC, especially if there are a lot of logins that were previously being immediately denied due to missing domain trusts in our list. Generally the traffic increase is not a problem, but if it becomes one the parameter can be reverted back.