NetApp erroring with: STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

windows kerberos ntlm netapp

I would modify your antivirus policies to not scan files shared over the network. You could potentially have a dozen clients trying to AV scan the same file across the network simultaneously.

So in Windows 2000, 2003, Windows XP, Vista, and 2008, the default behavior is this:

  • Network security: Allow Local System to use computer identity for NTLM
    • Disabled: Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.

But in Windows 7 and 2008 R2 and above, the default behavior was changed to this:

  • Network security: Allow Local System to use computer identity for NTLM
    • Enabled: Services running as Local System that use Negotiate will use the computer identity.

Source: http://technet.microsoft.com/en-us/library/jj852275.aspx

You say that you'd like to avoid a site-wide security option change, but you already made one when you upgraded all clients to Windows 7.

As for why you aren't using Kerberos in the first place, that is an entirely different question that you've not given us enough data to be able to answer. For Kerberos to work, the CIFS service needs a trust relationship with the domain and registered service principal names, and the client must address the service with hostname or FQDN, not IP address.

Are your Filers domain joined? If so, do they have CIFS/* SPNs?


I've come to the end of the run on this one, and now know why it's happening.

In summary:

  • Since Windows 7/2008 the default behaviour for 'LocalSystem' on a client machine changed. Where before it would use a 'null' login, it uses machine accounts for NTLM.

  • Because we are going between two AD forests, Kerberos isn't being used. This is by design. http://technet.microsoft.com/en-us/library/cc960648.aspx "Kerberos authentication uses transparent transitive trust among domains in a forest, but it cannot authenticate between domains in separate forests"

    • Sophos is scanning files 'on access' which is triggered by a rename. For security policy reasons, this includes network drives.

    • Because Sophos is running as LocalSystem, it's presenting the machine account via NTLM to the filer. This account is then rejected, with STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT and after 10 retries the filer triggers a lockout.

    • Because of this lockout, subsequent virus scan attempts will stall for 5s per attempt. This is the root of our problem, because our process copies and renames hundreds of files, and after the 10th, each will take 5s.

This leaves us with solutions of:

  • Amend the security policy option as mentioned above: Network Security: Allow Local System to use computer identity for NTLM: Disabled

    • Apply an exclusion in the virus checker for network drives

    • Merge your separate domain into the same forest, so Kerberos works.(Another option is outlined here: http://xitnotes.wordpress.com/2012/03/29/kerberos-in-an-active-directory-forest-trust-vs-external-trust/ that involves upgrading the relationship between the domains such that Kerberos works again.

    • Use vfilers, and CIFs join it to the other domain.

    • There is also an option on the filer to up the number of retries before this lockout occurs - it's a hidden option, and I don't have precise syntax handy.

Related

Linux/Unix - /etc/sudoers - host definition
Why has CD/DVD host passthrough been disabled in CentOS 7 \ RHEL 7?
ssh host key certificates, find validity period remotely?
Dovecot Certificate Authentication
executing RSYNC command in jenkins
PBIS Open AD authentication stops working on ubuntu with errors: "user accout has expired" and "is your account locked?"
How can I enable outgoing HTTP/HTTPS requests on an EC2 in a public subnet within a VPC on Amazon AWS
How to put a Windows 2012 server into a Univention domain
In Active Directory, how do I delegate write permissions on specific attributes of protected user accounts?
LSI Megaraid alarm - clearing hotspare
Monit: How to optimally monitor an URL
From docker containers to Google Kubernetes