NTLMSSP, SPN and AIX CIFS
Article Number: 266 | Rating: 4/5 from 1 votes | Last Updated: Fri, Jun 15, 2018 11:30 PM
NTLMSSP, SPN and AIX CIFS
Today I had busy time trying to figure out why SMB/CIFS Windows Server 2008 share cannot be mounted in AIX.
AIX # mount -v cifs -n WindowsMachine.re.somewh.ere/sysaccount5/PassWd -o wrkgrp=SOMEGROUP,uid=11345,gid=22345,fmode=750 /projectA$ /tmp/123
There was an error connecting the share or the server.
Make sure the lsdev command shows that device nsmb0 is in
the Available state. Also make sure that the share name,
user name and password are accurate.
Root cause of the problem
NTLMv2 negotiates using the SPN (when the system is joined to AD)
UNIX system joined with incorrect SPN to the AD. (SPN doesn’t match UNIX FQDN)
Symptom
In this case CIFS share can’t be mounted in AIX. (seems like that AIX CIFS package doesn’t support NTLMSSP yet.)
In Linux it can be mounted only with the “sec=ntlmssp” flag:
Linux # mount.cifs //WindowsMachine.re.somewh.ere/projectA$ /tmp/123 -o username=sysaccount5,password=PassWd,domain=SOMEGROUP,sec=ntlmssp
OK
Solution
To fix the situation set the following on Windows Server:
1. Local Security Policy
Security Settings -> Local Policies -> Security Options
Microsoft network server: Server SPN target name validation level: Off
2. Local Security Policy
Security Settings -> Local Policies -> Security Options
Network security: LAN Manager authentication level: Send LM & NTLM responses
For the point 2., I presume that this can be anything eventually, unless that AIX CIFS package indeed doesn’t support NTLMSSP.
If someone can confirm, feel free to comment.
OR rather join UNIX system with correct SPN. Unless it would be a long story for you :-)
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word