Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1610998.1
Update Date:2016-09-28
Keywords:
Solution Type  Problem Resolution Sure

Solution  1610998.1 :   Sun Storage 7000 Unified Storage System: Attempt to Join Active Directory fails after a Change to a New Domain.  

Related Items 
    

  • Sun ZFS Storage 7420
    •  
  • Oracle ZFS Storage ZS3-2
    •  
  • Sun Storage 7110 Unified Storage System
    •  
  • Sun Storage 7210 Unified Storage System
    •  
  • Sun Storage 7410 Unified Storage System
    •  
  • Sun ZFS Storage 7120
    •  
  • Sun Storage 7310 Unified Storage System
    •  
  • Oracle ZFS Storage ZS3-4
    •  
  • Sun ZFS Storage 7320
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: 7xxx NAS
    •  






In this Document


Symptoms


Changes


Cause


Solution


References

Created from <SR 3-8020652141>


Applies to:  

Oracle ZFS Storage ZS3-2 - Version All Versions and later
Sun ZFS Storage 7420 - Version All Versions and later
Sun ZFS Storage 7320 - Version All Versions and later
Sun ZFS Storage 7120 - Version All Versions and later
Sun Storage 7410 Unified Storage System - Version All Versions and later
7000 Appliance OS (Fishworks)



Symptoms


Active Directory join succeeded on one head in the cluster and failed on the peer.   This particular problem could also cause Active Directory join to fail for BOTH heads. 



Changes


 Customer migrated systems to a new Active Directory domain with stricter minimum security.


Cause


A wireshark packet capture showed the head that was failing to join was attempting to negotiate a lower security connection than that acceptable by the Domain Controller.


There had been a recent Domain Controller change which required Extended Security.


This was determined by expanding the SMB header in the detailed packet decode window of wireshark.


The negotiate protocol request(s) were located using the filter "smb.cmd == 0x72" and checking the options the head was sending to the DC we found:


The negotiate protocol request from the successful join had a flags2 value of 0xc805 and the failed join had a flags value of 0xc001

The difference was due to this bit - set on the successful join and unset on the failed

.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported  <-- join succeeded



.... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported  <-- join failed

The extended security negotiation had been disabled as a workaround for BUG 15763879 (After update to 2011.1.1 appliance unable to join AD domain).


The workaround was applied using a workflow named  "Disable NtlmMinServerSec"  that disables extended security.  In this case it had been reversed on one head, but not the other.


 



Solution


Enabled extended security negotiation on the problem head and the join succeeded.  It is necessary to engage the Oracle TSC to resolve this issue.


 




The following command will return false, if extended security is disabled:


CLI:> confirm shell svcprop -p smbd/client_extsec smb/server


 


Extended security can be re-enabled by executing the following commands:




CLI:> confirm shell svccfg -s smb/server setprop smbd/client_extsec=true


CLI:> confirm shell svcadm refresh smb/server




 




 


References
<NOTE:1402003.1> - Sun Storage 7000 Unified Storage System: DNS server settings required for integration of the ZFS Storage Appliance with Active Directory



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback