11.3 Authentication

11.3.1 Configuring AD Server to Support Kerberos Authentication for External Forest Users Using CIFS Client

Error: User authentication failed and not able to login.

Cause: “Kerberos Forest Search Order (KFSO)” is not configured for SMB client connection.

Action: Enable “Kerberos Forest Search Order (KFSO)” for SMB client connection in the Windows client where the user login and also provide the complete DNS name of the OES CIFS server.

For more information on how to configure KFSO, see the following links:

11.3.2 Disabling Kerberos Authentication While the OES Server is being Upgraded to OES 2018 or Later

The clients that are already joined to an AD domain and accessing shares on an OES server as eDirectory users will not be able to map the same shares once the OES server is upgraded to OES 2015 (or later) and joined to the AD domain.

This is because, once the OES server is upgraded to OES 2015 (or later) and joined to the AD domain, the clients would start authenticating to OES CIFS service with Kerberos. As Kerberos authentication is supported only for AD users, the CIFS service would authorize the users as AD users while mapping a share. Therefore, mapping of shares would fail until the eDirectory trustee ACLs are migrated to AD users.

However, mapping will continue to work with eDirectory trustees. In this case (during transition phase to OES 2015 or later), to map OES 2015 (or later) shares as eDirectory users from the same clients, the domain administrator must disable Kerberos as a supported authentication mechanism on the OES 2015 (or later) server. Disabling Kerberos forces the clients to authenticate with the OES 2015 (or later) server using NTLM.

Disabling Kerberos Authentication

You can disable Kerberos authentications against the OES 2015 (or later) server by removing the Service Principals of the OES 2015 (or later) server.

You must perform the following actions on the DC server of the Active Directory domain to which the OES 2015 (or later) server is joined.

NOTE:You can also remove SPNs using the command-line tool Setspn. For more information, see Setspn on the Microsoft TechNet Library.

  1. Open the Active Directory Users and Computers MMC (dsa.msc).

  2. Right-click the computer object of the OES 2015 (or later) server and select Properties from the shortcut menu.

  3. In the properties window, select the Attribute Editor tab.

  4. From the Attributes list, select servicePrincipalName.

  5. Click Edit.

  6. Note down the Values of the Attribute “servicePrincipalName”. You will require them to re-enable Kerberos.

  7. Select a Value, and then click Remove. Repeat the step until you remove all the Values.

  8. Click OK.

  9. Click OK on the Properties window.

Authenticating Using NTLM

If the users are logged in to the clients, they must logout and login again. The changes will be effective only upon the next login.

Now, the clients authenticate to the OES 2015 (or later) server using NTLM. The users can map and access CIFS shares provisioned to them using their eDirectory user credentials.

At this stage, you can map eDirectory trustee ACLs to Active Directory users using NURM.

Migrating eDirectory Trustee ACLs to Active Directory Users and Groups

  1. Ensure that pools and volumes are AD-enabled.

    For more information, see NSS Management Utility (NSSMU) Quick Reference in the OES 2023: NSS File System Administration Guide for Linux.

  2. Point your browser to https://<IP address or the host name of the OES2018 SP1 server>/storm.

  3. Specify the user name or FQDN of the eDirectory administrator in the User Name field, specify the password, then click Login.

  4. Connect to Active Directory by specifying the Active Directory administrator or administrator equivalent user credentials.

  5. Create User Maps to map eDirectory and Active Directory users and groups.

  6. Map User Rights to assign rights to Active Directory users on the NSS resources.

    For more information, see NURM (OES User Rights Map)in the OES 2023: NSS AD Administration Guide.

Re-enabling Kerberos Authentication

Once ACL migration is done, you re-enable Kerberos authentication.

On the DC server, using the String Editor, add the Values of the Attribute “servicePrincipalName” that you have removed earlier.

NOTE:You can also add SPNs using the command-line tool Setspn. For more information, see Setspn on the Microsoft TechNet Library.

Now, the clients authenticate to the OES server using Kerberos. The users can map and access CIFS shares provisioned to them using their Active Directory user credentials.

Recommendations for a Cluster Resource

  1. Join the OES 2015 (or later) node where the cluster resource is running to the Active Directory domain.

    For more information, see Joining the Cluster Node to an Active Directory Domain in the OES 2023: OES Cluster Services for Linux Administration Guide.

  2. AD media upgrade the cluster pool and AD-enable the volume(s).

    For more information, see NSS Media Upgrade in the OES 2023: NSS File System Administration Guide for Linux.

  3. Migrate the ACLs through NURM.

    For more information, see NURM (OES User Rights Map)in the OES 2023: NSS AD Administration Guide.

  4. Join the cluster resource to the Active Directory domain.

    For more information, see Joining the Cluster Resource to an Active Directory Domain in the OES 2023: OES Cluster Services for Linux Administration Guide.

11.3.3 CIFS User Authentication Fails On an NTLMv2 enabled Windows XP Client in the First Attempt

Description: CIFS user authentication from a Windows XP client fails on the first attempt. The second time the user attempts to log in, authentication occurs as expected if NTLMv2 is enabled on Windows XP clients.

Cause: Windows XP sends the client machine name as a domain name. For the second attempt sends the actual domain name.

Action: Pass the user name in domainname\username format.

For example, if you are using net use command to map a CIFS share following is the command you can use.

net use <device name> \\<computer name or IP address>\<share> /user:<DOMAIN>\<USER> <password>

net use * \\192.168.100.1\CIFS_VOL /user:BLR\cifsuser1 <password>

In this example, net use command is used to connect to the share named CIFS_VOL on a computer with IP address 192.168.100.1. The CIFS_VOL share will be mapped to the highest free drive letter [*].

net use e: \\192.168.100.1\CIFS_VOL /user:BLR\cifsuser1 <password>

In this example, net use command is used to connect to the share named CIFS_VOL on a computer with IP address 192.168.100.1. The CIFS_VOL share will be mapped to e: drive.

NOTE:NTLMv2 authentication is enabled by default on Windows 7 workstations.

11.3.4 Password Has Expired

Error: Password has expired.

Cause: Password expiry is set for security purposes. The password has expired.

Action: Reset the password and try to log in again.

11.3.5 User Can Only See Folders Assigned With Public Trustee Rights

Error: Only folders to which the Public trustee has rights are visible.

Cause: If you have logged into a Windows workstation and see folders assigned only with Public Trustee rights, it is either because you have logged in with an incorrect user name or have logged in as a guest user.

Action: Log in with correct credentials.

11.3.6 Authentication Failed Due to Password Mismatch

Cause: The password is incorrect.

Action: Provide the correct password.

OR

Cause: Universal password is not set for the user.

Action: Set the universal password for the user.

OR

Cause: The client and the server have incompatible LMCompatibility level settings.

Action: Check for the LMComaptibility settings. For more information, refer Setting LMCompatibilityLevel.