Randy, As far as I know, the MS patch will just require sealing on Netlogon connections. They will still be allowed. I had opened a case with Netapp support, and this is not a tunable parameter, it's just build into the patch. So you should be good. There is another tunable parameter, "cifs security modify -vserver vserver -aes-enabled-for-netlogon-channel" You may want to set this to true. Our windows engineers warned us that this will be a "next step" in MS's lockdown of auth security. FWIW, almost all of our clients are <=SMBv3 with kerberos auth, but we do notice the SVMs themselves make NTLMv2 auth to the domain controllers from time to time (on 9.10.1P12)
Fred On Friday, July 7, 2023 at 10:58:43 AM EDT, Randy Rue randyrue@gmail.com wrote:
Hello All, We've upgraded our AFF-A220 to 9.13.1 as per https://kb.netapp.com/Support_Bulletins/Customer_Bulletins/SU530 and should be all good to go for next Tuesday's closing of the door on NTLMv2 authentication. However, scrb::> vserver cifs session show -vserver sdata -fields auth-mechanism,address,windows-user node vserver session-id connection-id address auth-mechanism windows-user -------- ---------- -------------------- ------------- --------------- -------------- ------------ scrb-a sdata 12223613813613660030 4271015427 10.6.154.156 NTLMv2 FHC\rgrasdue
still shows all of our CIFS connections using NTLMv2 to authenticate (one line is shown of hundreds of connections) Are we ready for next week's update? Will the auth-mechanism change after we patch our DCs? Or will all our CIFS connections break? Let u s know, Randy Rue_______________________________________________ Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters