NetApp & Leopard

I’ve stumbled across a problem we’re having accessing filer hosted CIFS shares from Mac OS X Leopard 10.5.1. The Leopard boxes I’ve tried this on are all bound to our Win2k3 Active Directory. If you log into Leopard with your domain credentials and try to access a share on a filer(this happens on all of our filers and all are at 7.x and above), you will be prompted for your password. If you try to access the same CIFS share hosted on a Win2k3 box, you will get right in.

Has anyone else seen this?

Thanks,

--Carl

Gerald,

Thanks for staying on top of this. Burt 283117 is exactly what we’re experiencing.

Vaughn, we run a standard Windows 2003 Active Directory. I’ve tested this against every filer we have, and it always behaves the same. If I recreate one of the shares we have on a filer on a Windows 2003 box, I can log right in using Leopard.

To be fair, this appears to be more a Leopard+Kerberos issue than a problem with OnTap.

--Carl

I run 10.5.2 with CIFS on Data ONTap without any issue.  I would want to know more about the client’s environment before I pointed the finger @ NetApp.

Cheers,
 
Vaughn Stewart | Virtualization Evangelist

From: "Villabroza, Gerald" <geraldv@...>
Organization: Stanford University
Reply-To: <geraldv@...>
Date: Sat, 05 Apr 2008 10:56:25 -0700
To: Barry King <barryking93@...>
Cc: <toasters@...>
Subject: Re: NetApp & Leopard

back on the Leopard and Data ONTAP CIFS train:

As some of us have found, 10.5.2 doesn't play nice with ONTAP cifs.

NetApp has created a BURT:

http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=283117

Its classified as a severity 3 (serious inconvenience) because there's a
work around by passing credentials over NTLM after kerberos fails.

The workaround fails in our environment.  We think its because NTLM
works but we disallow NTLM and only allow kerberos or NTLMv2.

We've heard that the issue is scheduled to be fixed in 7.2.6 slated for
October.

If you have similar issues or if you'd like it fixed earlier, please
open a case and reference the BURT.  The more customers that report the
problem gives them a bigger reason to release a fix sooner.

-=-=-
gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
technical lead, its storage, stanford university

Barry King wrote:
> At least in my environment, this now partially works in 10.5.2.  Based
> on my experimentation:  What works is doing a "Go -> Connect to Server"
> and punching in cifs://netapp.  What doesn't is trying to browse to it
> over the network.  I'm not sure why one works and the other doesn't.
>
> Regards,
>
> Barry King
>
> On Fri, Feb 8, 2008 at 2:53 PM, Villabroza, Gerald <geraldv@...
> geraldv@...> wrote:
>
>     Patrick,
>
>     Tough to mandate dave or admitmac in a diverse higher education
>     environment.  100's of macs show up after the Christmas holidays and
>     they all expect to use university resources immediately.
>
>     Carl,
>
>     Our understanding from Apple is that the next Leopard update, 10.52,
>     will address the CIFS access issue.  It's in a testing phase now but not
>     available to folks external to Apple.
>
>     -=-=-
>     gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
>     technical lead, its storage, stanford university
>
>      > -----Original Message-----
>      > From: Patrick van Helden [pvh@...
>     pvh@...]
>      > Sent: Wednesday, January 30, 2008 8:24 AM
>      > To: Carl Howell; Villabroza, Gerald
>      > Cc: toasters@... toasters@...
>      > Subject: RE: NetApp & Leopard
>      >
>      > Hi Guys,
>      >
>      > Why don't you guys use a 3rd party client like "Dave" or "Admitmac"
>      > from Thursby?
>      >
>      > Admitmac even has Windows DFS support
>      >
>      > Regards,
>      >
>      > Patrick van Helden
>      > Databasement BV
>      > pvh@... pvh@...
>      >
>      >
>      >
>      > -----Oorspronkelijk bericht-----
>      > Van: owner-toasters@...
>     owner-toasters@... namens Carl Howell
>      > Verzonden: wo 1/30/2008 15:56
>      > Aan: geraldv@... geraldv@...
>      > CC: toasters@... toasters@...
>      > Onderwerp: RE: NetApp & Leopard
>      >
>      > Gerald,
>      >
>      > Thanks for the feedback, and yes, feel free to reference us.
>      >
>      > --Carl
>      >
>      > -----Original Message-----
>      > From: Villabroza, Gerald [geraldv@...
>     geraldv@...]
>      > Sent: Wednesday, January 30, 2008 8:49 AM
>      > To: Carl Howell
>      > Cc: toasters@... toasters@...
>      > Subject: Re: NetApp & Leopard
>      >
>      > Carl,
>      >
>      > We're experiencing the same issue when accessing DOT 7.2.2 CIFS
>     in Win
>      > 2k3 AD with OS X 10.5.1.
>      >
>      > We've opened a case with Apple and here's what they came back with:
>      >
>      > #####
>      > When a Leopard client opens a session, it sends three mechanisms in
>      > this
>      >
>      > order, KRB5, some OID I don't what it is, and MS KRB5.  The filer
>      > returns an unsupported error.
>      >
>      > Apple thinks DOT is just bailing on the first unsupported mechanism
>     and
>      > not checking the whole list.  Tiger only sent the MS KRB5
>     mechanism so
>      > that is why it works.
>      >
>      > Apple is working on building a test of their kerberos library that
>     puts
>      > MS KRB5 as the first mechanism to validate the hypothesis.
>      > #####
>      >
>      > Leopard can authenticate via K5 against MS WIN 2k3 systems fine
>     in our
>      > environment, just not against DOT.
>      >
>      > Luckily Apple and NetApp are both TSAnet members and can collaborate
>     on
>      > the support case.
>      >
>      > Do you mind if reference your experience at UWF with NetApp and
>     Apple?
>      > And if you don't, do you have a case # with NetApp?
>      >
>      > Its interesting to hear of other hi-ed's with this issue.  Any others
>      > out there?  Like other issues in our space it helps to band together.
>      >
>      > -=-=-
>      > gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
>      > technical lead, its storage, stanford university
>      >
>      >
>      > Carl Howell wrote:
>      > > I've stumbled across a problem we're having accessing filer hosted
>      > CIFS
>      > > shares from Mac OS X Leopard 10.5.1. The Leopard boxes I've tried
>      > this
>      > > on are all bound to our Win2k3 Active Directory. If you log into
>      > Leopard
>      > > with your domain credentials and try to access a share on a
>      > filer(this
>      > > happens on all of our filers and all are at 7.x and above), you
>     will
>      > be
>      > > prompted for your password. If you try to access the same CIFS
>     share
>      > > hosted on a Win2k3 box, you will get right in.
>      > >
>      > >
>      > >
>      > > Has anyone else seen this?
>      > >
>      > >
>      > >
>      > > Thanks,
>      > >
>      > >
>      > >
>      > > --Carl
>      > >
>      > >
>      > >
>      > >
>      > >
>      > >
>      >
>      >
>      >
>
>
>
>
>
> --
> Barry King
> barryking93@... barryking93@...