Sun Storage 7000 Unified Storage System: Configuring the ZFSSA for Active Directory with NTLMv2 / Windows Server 2008

Asset ID:	1-71-1402208.1
Update Date:	2012-06-26
Keywords:

Solution Type Technical Instruction Sure

Solution 1402208.1 : Sun Storage 7000 Unified Storage System: Configuring the ZFSSA for Active Directory with NTLMv2 / Windows Server 2008

Applies to:

Sun ZFS Storage 7420 - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7210 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7410 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7120 - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7320 - Version Not Applicable to Not Applicable [Release N/A]
7000 Appliance OS (Fishworks)

Goal

Windows Server 2008 introduced a new security check that works in conjunction with NTLMv2. This document explains how to configure the ZFSSA for compatibility with this setting. In addition, the LAN manager compatibility setting is explained in detail.

To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - 7000 Series ZFS Appliances

Fix

On the SMB service configuration page, found in the BUI under Configuration / Services /SMB, you will find the setting Lan Manager Compatibility Level. This setting details the versions of the LAN Manager (lanman) protocol accepted and refused, and corresponds to similar settings on Windows/SMB clients and servers. The following describes the behavior at each level:

2 (default) - In Windows workgroup mode, the Solaris CIFS server accepts LM, NTLM, LMv2, and NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server sends NTLM requests.

3 - In Windows workgroup mode, the Solaris CIFS server accepts LM, NTLM, LMv2, and NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server sends LMv2 and NTLMv2 requests.

4 - In Windows workgroup mode, the Solaris CIFS server accepts NTLM, LMv2, and NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server sends LMv2 and NTLMv2 requests.

5 - In Windows workgroup mode, the Solaris CIFS server accepts LMv2 and NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server sends LMv2 and NTLMv2 requests.

When connecting to a 2008 server, and a Lan Manager setting higher than the default of "2" is required, we run into a compatibility issue that requires a registry change (and a hotfix if the 2008 server is below the R1/Service Pack 2 patch level).

The required registry setting and information on the hotfix can be found in MSKB article #957441. Once the registry setting is set as detailed in this article, the Lan Manager Compatibility Level can be set to "5" and will function as expected.

To clarify, this only affects Windows Server 2008 and is only applicable when the LM Compatibility setting is increased from the default on the DC. This can be worked around by setting a 2003 Server or a single 2008 server with the registry change as the Preferred Domain Controller in Configuration / Services / SMB.

Internal Note: This setting lowers security for the AD Domain and we often find that the customer will not agree to make this registry change. There is currently no solution besides the above registry change or workaround, so if this is the case, the customer will not be able to use the ZFSSA in their Windows Domain. The Development team is working on this in CR #7023098. It is currently targeted for 2011.1.2, but per Oracle policy, we cannot share that with the customer.

Back to <Document 1402353.1> Sun Storage 7000 Unified Storage System: How to Troubleshoot Active Directory Issues.

References

MSKB 957441: http://support.microsoft.com/kb/957441/
@ <BUG:7023098> - DOMAIN JOIN WITH WINDOWS 2008 FAILS WHEN DC LEVEL IS UNKNOWN
<NOTE:1402353.1> - Sun Storage 7000 Unified Storage System: How to Troubleshoot Active Directory Issues

Attachments

This solution has no attachment