NTLMSSP, SPN and AIX CIFS

NTLMSSP, SPN and AIX CIFS

Today I had busy time trying to figure out why SMB/CIFS Windows Server 2008 share cannot be mounted in AIX.

AIX # mount -v cifs -n WindowsMachine.re.somewh.ere/sysaccount5/PassWd -o wrkgrp=SOMEGROUP,uid=11345,gid=22345,fmode=750 /projectA$  /tmp/123
There was an error connecting the share or the server.
Make sure the lsdev command shows that device nsmb0 is in
the Available state.  Also make sure that the share name,
user name and password are accurate.

Root cause of the problem

NTLMv2 negotiates using the SPN (when the system is joined to AD)

UNIX system joined with incorrect SPN to the AD. (SPN doesn’t match UNIX FQDN)

Symptom

In this case CIFS share can’t be mounted in AIX. (seems like that AIX CIFS package doesn’t support NTLMSSP yet.)

In Linux it can be mounted only with the “sec=ntlmssp” flag:

Linux # mount.cifs //WindowsMachine.re.somewh.ere/projectA$ /tmp/123 -o username=sysaccount5,password=PassWd,domain=SOMEGROUP,sec=ntlmssp
OK

Solution

To fix the situation set the following on Windows Server:

1. Local Security Policy
Security Settings -> Local Policies -> Security Options
Microsoft network server: Server SPN target name validation level: Off

2. Local Security Policy
Security Settings -> Local Policies -> Security Options
Network security: LAN Manager authentication level: Send LM & NTLM responses

For the point 2., I presume that this can be anything eventually, unless that AIX CIFS package indeed doesn’t support NTLMSSP.

If someone can confirm, feel free to comment.

OR rather join UNIX system with correct SPN. Unless it would be a long story for you :-)

4 (1)
Article Rating (1 Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
AIX HA / HACMP, System Admin↑ Mountguard
Viewed 7373 times since Mon, Jun 3, 2019
How to check dual path in AIX
Viewed 14479 times since Fri, Jun 8, 2018
AIX, Security, System Admin↑ Generating random passwords
Viewed 3238 times since Fri, Apr 19, 2019
Trick to Purge/Clean Swap Usage on AIX
Viewed 8545 times since Thu, Nov 29, 2018
AIX Different Commands For Paging Space Administration swap file create
Viewed 7741 times since Thu, Aug 1, 2019
List AIX File Systems the Easy Way With the lsvgfs Command
Viewed 2402 times since Thu, Sep 20, 2018
Changing Ethernet Media Speed for AIX
Viewed 3650 times since Tue, Apr 16, 2019
bootlist multiple boot logical volume found
Viewed 2925 times since Tue, Apr 16, 2019
SNAP
Viewed 2224 times since Mon, Sep 17, 2018
IBM AIX multipath I/O (MPIO) resiliency and problem determination
Viewed 14075 times since Wed, May 30, 2018