CIFS Times Out When Trying To Authenticate Users In Domain Passthrough Mode

  • 7012572
  • 06-Jun-2013
  • 07-Jun-2013

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2

Situation

When trying to authenticate a user from a client or from the server itself utilizing smbclient, CIFS will time out with various different errors:
ERROR:   Windows cannot access \\Servername_W
ERROR:   Check the spelling of the name.  Otherwise, there might be a problem with your network.
ERROR:   The network path was not found
ERROR:   CRITICAL: AUTH: unable to resolve the netbios name !!
ERROR:   The specified network name is no longer available
ERROR:   protocol negotiation failed: NT_STATUS_IO_TIMEOUT

Resolution

  1. Be sure that time is in sync on both the OES and AD servers.
  2. From a command prompt on the AD server, type the following command:

    nbtstat -A ip.addr.of.adserver
  3. Locate the line that contains <20> in the output and take note of the name.  IE:

    Local Area Connection:
    Node IpAddress: [10.10.21.63] Scope Id: []
    
               NetBIOS Remote Machine Name Table
    
           Name               Type         Status
        ---------------------------------------------
        JOHARMON21     <00>  UNIQUE      Registered
        W2K3R2         <1C>  GROUP       Registered
        W2K3R2         <00>  GROUP       Registered
        JOHARMON21     <20>  UNIQUE      Registered
        W2K3R2         <1B>  UNIQUE      Registered
        W2K3R2         <1E>  GROUP       Registered
        W2K3R2         <1D>  UNIQUE      Registered
        ..__MSBROWSE__.<01>  GROUP       Registered
    
        MAC Address = 00-00-29-98-FE-00
    
  4. Open iManager > File Protocols > CIFS > SELECT YOUR SERVER and then choose AUTHENTICATION under the GENERAL tab.
  5. Be sure to enter the Work Group/Domain information (netbios name should suffice)
  6. Under PRIMARY DOMAIN CONTROLLER enter the NAME as discovered in number three above.  Enter the IP address for the same server in the corresponding field
  7. Be sure that SMB SIGNATURE under the GENERAL tab, SERVER sub-menu is also set to disabled.
  8. Be sure that the name specified in number three above is pingable by the OES server.  If it isn't add an entry into the /etc/hosts file of the OES server to make it resolvable.
  9. On the Active Directory side, be sure the following is set:

    - START > RUN > regedit > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
    - Be sure that both RequireSecuritySignature and EnableSecuritySignature are set to 0
  10. On the Active Directory side, open a command window and execute the following command:

    - net config server /autodisconnect:65535
  11. Restart CIFS on the OES side.  If debug logging is enabled, and OES successfully connects with Active Directory (AD), then the /var/log/cifs/cifs.log should report a line as follows:

    - DEBUG: AUTH: DCNC state: SessSetupTconIPC, event: receive tcp, new state: ReadyForClients
  12. Retry the authentication.  It should now work