Randy,

As far as I know, the MS patch will just require sealing on Netlogon connections.  They will still be allowed.  I had opened a case with Netapp support, and this is not a tunable parameter, it's just build into the patch.  So you should be good.

There is another tunable parameter, "cifs security modify -vserver vserver -aes-enabled-for-netlogon-channel"  You may want to set this to true.  Our windows engineers warned us that this will be a "next step" in MS's lockdown of auth security.

FWIW, almost all of our clients are <=SMBv3 with kerberos auth, but we do notice the SVMs themselves make NTLMv2 auth to the domain controllers from time to time (on 9.10.1P12)

Fred

On Friday, July 7, 2023 at 10:58:43 AM EDT, Randy Rue <randyrue@gmail.com> wrote:


Hello All,

We've upgraded our AFF-A220 to 9.13.1 as per https://kb.netapp.com/Support_Bulletins/Customer_Bulletins/SU530

and should be all good to go for next Tuesday's closing of the door on NTLMv2 authentication.

However,

scrb::> vserver cifs session show -vserver sdata -fields auth-mechanism,address,windows-user
node     vserver    session-id           connection-id address         auth-mechanism windows-user
-------- ---------- -------------------- ------------- --------------- -------------- ------------
scrb-a sdata      12223613813613660030 4271015427    10.6.154.156    NTLMv2         FHC\rgrasdue

still shows all of our CIFS connections using NTLMv2 to authenticate (one line is shown of hundreds of connections)

Are we ready for next week's update? Will the auth-mechanism change after we patch our DCs? Or will all our CIFS connections break?

Let u s know,

Randy Rue
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters