ONTAP 9.7P22 (End of Limited Support 2025/07/31) ONTAP 9.8P18 (End of Limited Support 2025/12/31) ONTAP 9.9.1P15 (End of Limited Support 2026/06/30) ONTAP 9.10.1P12(End of Limited Support 2027/01/31) ONTAP 9.11.1P8 (End of Limited Support 2027/07/31) ONTAP 9.12.1P2 (End of Limited Support 2028/02/28)
netapp9101::> vserver cifs security modify -vserver svm0 -is-aes-encryption-enabled true
Info: In order to enable CIFS AES encryption, the password for the CIFS server
machine account must be reset. Enter the username and password for the
CIFS domain "ADOSAKANA.LOCAL".
Enter your user ID: administrator
Enter your password:
netapp9101::> vserver cifs security show -fields is-aes-encryption-enabled
vserver is-aes-encryption-enabled
------- -------------------------
Cluster -
Snapmirror-WAN
-
netapp9101
-
netapp9101-01
-
svm0 true
svm2 false
svm3 false
7 entries were displayed.
netapp9101::>
Checking for library nscd : no
Checking for nscd_flush_cache : not found
VFS_STATIC: vfs_default,vfs_not_implemented,vfs_posixacl,vfs_dfs_samba4
VFS_SHARED: vfs_recycle,vfs_audit,vfs_extd_audit,vfs_full_audit,vfs_fake_perms,vfs_default_quota,vfs_readonly,vfs_cap,vfs_expand_msdfs,vfs_shadow_copy,vfs_shadow_copy2,vfs_readahead,vfs_xattr_tdb,vfs_streams_xattr,vfs_streams_depot,vfs_acl_xattr,vfs_acl_tdb,vfs_preopen,vfs_catia,vfs_media_harmony,vfs_unityed_media,vfs_fruit,vfs_shell_snap,vfs_commit,vfs_worm,vfs_crossrename,vfs_linux_xfs_sgid,vfs_time_audit,vfs_offline,vfs_virusfilter,vfs_widelinks,vfs_snapper,vfs_posix_eadb,vfs_syncops,vfs_dirsort,vfs_fileid,vfs_aio_fork,vfs_aio_pthread,vfs_gpfs,vfs_btrfs,vfs_glusterfs_fuse
PDB_STATIC: pdb_smbpasswd,pdb_tdbsam,pdb_samba_dsdb,pdb_ldapsam
PDB_SHARED:
AUTH_STATIC: auth_builtin,auth_sam,auth_winbind,auth_unix,auth_samba4
AUTH_SHARED:
NSS_INFO_STATIC: nss_info_template
NSS_INFO_SHARED:
CHARSET_STATIC:
CHARSET_SHARED:
IDMAP_STATIC: idmap_tdb,idmap_passdb,idmap_nss,idmap_ldap
IDMAP_SHARED: idmap_ad,idmap_rfc2307,idmap_autorid,idmap_rid,idmap_hash,idmap_tdb2,idmap_script
GPEXT_STATIC:
GPEXT_SHARED:
PERFCOUNT_STATIC:
PERFCOUNT_SHARED:
Checking for dbus : not found
vfs_snapper is enabled but prerequisite dbus-1 package not found. Use --with-shared-modules='!vfs_snapper' to disable vfs_snapper support.
(complete log in /root/samba-4.16.3/bin/config.log)
#
Checking for openpty : not found
Checking for library util : yes
Checking for openpty in util : ok
Checking for system installation of Python module markdown : not found
Unable to find Python module 'markdown'. Please install the system package: python3-markdown'.
#
ontap832::> vserver cifs create -cifs-server share226 -domain adosakana.local -vserver share226
In order to create an Active Directory machine account for the CIFS server, you
must supply the name and password of a Windows account with sufficient
privileges to add computers to the "CN=Computers" container within the
ADOSAKANA.LOCAL domain.
Enter the user name: administrator
Enter the password:
Error: Machine account creation procedure failed
[ 12154] Loaded the preliminary configuration.
[ 12332] Created a machine account in the domain
[ 12339] Successfully connected to 172.17.44.49:445 using TCP
[ 12351] Unable to connect to LSA service on
samba.adosakana.local (Error:
RESULT_ERROR_GENERAL_FAILURE)
[ 14357] TCP connection to 172.17.44.141:445 via interface
172.17.44.236 failed: (Operation timed out).
[ 14357] Could not open a socket to 'samba.adosakana.local'
[ 14357] Unable to connect to LSA service on
samba.adosakana.local (Error:
RESULT_ERROR_SPINCLIENT_UNABLE_TO_RESOLVE_SERVER)
[ 14357] No servers available for MS_LSA, vserver: 2, domain:
adosakana.local.
**[ 14357] FAILURE: Unable to make a connection (LSA:adosakana.local),
** result: 6940
[ 14357] Could not find Windows SID
'S-1-5-21-937304154-1581684492-536532533-512'
[ 14381] Deleted existing account
'CN=SHARE226,CN=Computers,DC=adosakana,DC=local'
Error: command failed: Failed to create the Active Directory machine account
"SHARE226". Reason: SecD Error: no server available.
ontap832::>
ontap832::> version -node *
ontap832-01:
NetApp Release 8.3.2P12: Mon Aug 14 02:57:01 UTC 2017
ontap832::>
ONTAP 8.3.2P12であれば、「SMB2 Enabled for DC Connections」が存在していた。
ontap832::> vserver cifs security show -vserver share226
Vserver: share226
Kerberos Clock Skew: - minutes
Kerberos Ticket Age: - hours
Kerberos Renewal Age: - days
Kerberos KDC Timeout: - seconds
Is Signing Required: -
Is Password Complexity Required: -
Use start_tls For AD LDAP connection: false
Is AES Encryption Enabled: false
LM Compatibility Level: lm-ntlm-ntlmv2-krb
Is SMB Encryption Required: -
SMB1 Enabled for DC Connections: -
SMB2 Enabled for DC Connections: -
ontap832::>
設定を変更
ontap832::> vserver cifs security modify -vserver share226 -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
ontap832::> vserver cifs security show -vserver share226
Vserver: share226
Kerberos Clock Skew: - minutes
Kerberos Ticket Age: - hours
Kerberos Renewal Age: - days
Kerberos KDC Timeout: - seconds
Is Signing Required: -
Is Password Complexity Required: -
Use start_tls For AD LDAP connection: false
Is AES Encryption Enabled: false
LM Compatibility Level: lm-ntlm-ntlmv2-krb
Is SMB Encryption Required: -
SMB1 Enabled for DC Connections: false
SMB2 Enabled for DC Connections: true
ontap832::>
そして、Active Directoryへの参加
ontap832::> vserver cifs create -cifs-server share226 -domain adosakana.local -vserver share226
In order to create an Active Directory machine account for the CIFS server, you
must supply the name and password of a Windows account with sufficient
privileges to add computers to the "CN=Computers" container within the
ADOSAKANA.LOCAL domain.
Enter the user name: administrator
Enter the password:
Warning: An account by this name already exists in Active Directory at
CN=SHARE226,CN=Computers,DC=adosakana,DC=local
Ok to reuse this account? {y|n}: y
ontap832::>