he Windows client fails to use the DNS server to resolve the N8000 host name

Publication Date:  2012-07-18 Views:  258 Downloads:  0
Issue Description

Related information about the product and version: all N8000 versions.
After a CIFS share is configured, the client added to the domain controller uses the DNS resolution to access the CIFS share but the message indicating the client has insufficient permissions is displayed.
1. Check the CIFS configuration information and share information on the N8000.
n83.CIFS> show
Name Value
---- -----
netbios name n83
ntlm auth yes
allow trusted domains no
homedirfs fs20g
quota 0
idmap backend rid:10000-20000
workgroup OCEANSTOR
security ads
Domain OCEANSTOR.COM
Domain user Administrator
Domain Controller 129.22.48.237
n83.CIFS> share show
ShareName FileSystem ShareOptions
share1g fs1gone owner=root,group=root,rw,noguest
n83.CIFS> share show share1g
ShareName VIP Address
share1g 129.22.20.88
2. Create a host named n83 on the DNS server. The cluster name is also n83. The IP address of the DNS server uses the virtual IP address of the CIFS share, that is, 129.22.20.88.
3. Add the IP address of the DNS server in the local connection properties of a client added to the domain controller. On the client, ping the created host.
C:\Documents and Settings\cifs2>ping n83
Pinging n83.oceanstor.com [129.22.20.88] with 32 bytes of data:
Reply from 129.22.20.88: bytes=32 time=1ms TTL=64
Reply from 129.22.20.88: bytes=32 time<1ms TTL=64
Ping statistics for 129.22.20.88:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Control-C
^C
C:\Documents and Settings\cifs2>ping n83.oceanstor.com
Pinging n83.oceanstor.com [129.22.20.80] with 32 bytes of data:
Reply from 129.22.20.80: bytes=32 time<1ms TTL=64
Reply from 129.22.20.80: bytes=32 time<1ms TTL=64
Ping statistics for 129.22.20.80:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:\Documents and Settings\cifs2>
4. Use the host name as the part of the path for accessing the CIFS, as shown in the following figure.
<a pic deleted here>
5. Click OK and enter the domain user name and password. The system displays that the network path cannot be provided.
6. Use \\n83\ as the path and enter the domain user name and password. The CIFS share can be viewed but cannot be accessed.

 

Alarm Information
None
Handling Process

Step 1 Use a name rather than the cluster name as the host name of the CIFS share on the DNS server to avoid conflict. In this example, use n83share.

Step 2 On the client added to the domain, use the DNS resolution mode to access the CIFS share. The access succeeds.
Note: Use \\n83share.oceanstor.com\share1g to access the CIFS share. The access also succeeds.

Root Cause

1. Use the Linux on the client and set the DNS address. Access the CIFS share using the user name and password of the domain. The access is successful and read/write permissions of the share are available. The following information is displayed:

N8000:/ # ls -al cifs
total 1
drwxrwxrwx 2 root root 48 Sep 7 15:58 .
drwxr-xr-x 22 root root 536 Oct 8 22:53 ..
N8000:/ # ping n83
ping: unknown host n83
N8000:/ # ping n83.oceanstor.com
PING n83.oceanstor.com (129.22.20.88) 56(84) bytes of data.
64 bytes from 129.22.20.88: icmp_seq=1 ttl=64 time=3.32 ms
64 bytes from 129.22.20.88: icmp_seq=2 ttl=64 time=1.57 ms
--- n83.oceanstor.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 15006ms
rtt min/avg/max/mdev = 1.573/2.447/3.322/0.875 ms
N8000:/ # mount -t cifs //n83.oceanstor.com/_share1g$ /cifs --verbose -o user=cifs1
parsing options: rw,user=cifs1
Password:
mount.cifs kernel mount options unc=//n83.oceanstor.com\_share1g
$,ip=129.22.20.88,pass=huaWEI123,ver=1,rw,user=cifs1
N8000:/ # mount
/dev/hda2 on / type reiserfs (rw,acl,user_xattr)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
debugfs on /sys/kernel/debug type debugfs (rw)
udev on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw,mode=0620,gid=5)
shm on /dev/shm type tmpfs (rw,size=2g)
securityfs on /sys/kernel/security type securityfs (rw)
//n83.oceanstor.com/_share1g$ on /cifs type cifs (rw,mand)
N8000:/ # cd /cifs
N8000:/cifs # ls
1.dat 3.dat dirone dirtwo file.txt lost+found
N8000:/cifs # touch 2.dat
N8000:/cifs # ls
1.dat 2.dat 3.dat dirone dirtwo file.txt lost+found
N8000:/cifs #
2. Do the same thing on a Windows client that is not added to the domain controller. It is found that no user name or password is required. The following information is displayed:
C:\Documents and Settings\Administrator>ping n83
Ping request could not find host n83. Please check the name and try again.
C:\Documents and Settings\Administrator>ping n83.oceanstor.com
Pinging n83.oceanstor.com [129.22.20.88] with 32 bytes of data:
Reply from 129.22.20.88: bytes=32 time=1ms TTL=64
Reply from 129.22.20.88: bytes=32 time<1ms TTL=64
Ping statistics for 129.22.20.88:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Control-C
^C
C:\Documents and Settings\Administrator>
3. Check the information on the domain controller. It is found that the n83 host information exists in the domain computer.
From the preceding analysis, the CIFS module of the N8000 needs to be added to the AD domain when using ADS authentication. Therefore, the n83 host information exists in the domain computer. The data to be resolved by the DNS server conflicts with the data reflected on the domain controller. The client first finds the n83 on the domain computer rather than on the DNS host. Therefore, clients in a domain cannot access the CIFS share by DNS resolution.

Suggestions
1. When the CIFS module uses ADS authentication and the client uses the DNS resolution mode to access the CIFS share, you cannot name the host to be added on the DNS server as the cluster name. Otherwise, the two names conflict and the CIFS share cannot be accessed. It is recommended to use the cluster name + share name as the host name.
2. When the CIFS module uses ADS authentication and the client is not added to the AD domain, no user name or password is required for the access to the CIFS share by DNS resolution. However, insecure elements exist. It is recommended to add the client to the AD domain.
3. If the CIFS module uses user authentication and the client uses DNS resolution to access the CIFS share, the Windows client can use the DNS server to resolve the N8000 host name.

END