« Return to Thread: NetApp & Leopard
Re: NetApp & Leopard
by Villabroza, Gerald
::
Rate this Message:
NetApp published a BURT (283117) and a p release (7.2.4p9) in response
to how ONTAP deals with Kerberos auth.
See: (http://now.netapp.com/NOW/download/software/ontap/7.2.4P9/)
To be fair, ONTAP works just fine with Leopard in many cases, just not
when MIT Kerberos 5 and NTLMv2 are the only two allowed CIFS
authentication protocols. Environments with weaker security (NTLMv1)
are fine. Tiger works because it sent MS Kerberos first, which ONTAP
knows how to deal with.
Anyone planning on deploying 7.2.4p9? I am, but I've missed my change
window and may have to wait until after mid June (University finals and
graduation time).
-=-=-
gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
technical lead, its storage, stanford university
Carl Howell wrote:
> Gerald,
>
>
>
> Thanks for staying on top of this. Burt 283117 is exactly what we’re
> experiencing.
>
>
>
> Vaughn, we run a standard Windows 2003 Active Directory. I’ve tested
> this against every filer we have, and it always behaves the same. If I
> recreate one of the shares we have on a filer on a Windows 2003 box, I
> can log right in using Leopard.
>
>
>
> To be fair, this appears to be more a Leopard+Kerberos issue than a
> problem with OnTap.
>
>
>
> --Carl
>
>
>
>
>
> *From:* owner-toasters@...
> [mailto:owner-toasters@...] *On Behalf Of *Vaughn Stewart
> *Sent:* Sunday, April 06, 2008 3:49 PM
> *To:* geraldv@...; Barry King
> *Cc:* toasters@...
> *Subject:* Re: NetApp & Leopard
>
>
>
> I run 10.5.2 with CIFS on Data ONTap without any issue. I would want to
> know more about the client’s environment before I pointed the finger @
> NetApp.
>
> Cheers,
>
> Vaughn Stewart | Virtualization Evangelist
>
>
> ------------------------------------------------------------------------
>
> *From: *"Villabroza, Gerald" <geraldv@...>
> *Organization: *Stanford University
> *Reply-To: *<geraldv@...>
> *Date: *Sat, 05 Apr 2008 10:56:25 -0700
> *To: *Barry King <barryking93@...>
> *Cc: *<toasters@...>
> *Subject: *Re: NetApp & Leopard
>
> back on the Leopard and Data ONTAP CIFS train:
>
> As some of us have found, 10.5.2 doesn't play nice with ONTAP cifs.
>
> NetApp has created a BURT:
>
> http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=283117
> <http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=283117>
>
> Its classified as a severity 3 (serious inconvenience) because there's a
> work around by passing credentials over NTLM after kerberos fails.
>
> The workaround fails in our environment. We think its because NTLM
> works but we disallow NTLM and only allow kerberos or NTLMv2.
>
> We've heard that the issue is scheduled to be fixed in 7.2.6 slated for
> October.
>
> If you have similar issues or if you'd like it fixed earlier, please
> open a case and reference the BURT. The more customers that report the
> problem gives them a bigger reason to release a fix sooner.
>
> -=-=-
> gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
> technical lead, its storage, stanford university
>
> Barry King wrote:
>> At least in my environment, this now partially works in 10.5.2. Based
>> on my experimentation: What works is doing a "Go -> Connect to Server"
>> and punching in cifs://netapp. What doesn't is trying to browse to it
>> over the network. I'm not sure why one works and the other doesn't.
>>
>> Regards,
>>
>> Barry King
>>
>> On Fri, Feb 8, 2008 at 2:53 PM, Villabroza, Gerald <geraldv@...
>> <mailto:geraldv@...>> wrote:
>>
>> Patrick,
>>
>> Tough to mandate dave or admitmac in a diverse higher education
>> environment. 100's of macs show up after the Christmas holidays and
>> they all expect to use university resources immediately.
>>
>> Carl,
>>
>> Our understanding from Apple is that the next Leopard update, 10.52,
>> will address the CIFS access issue. It's in a testing phase now
> but not
>> available to folks external to Apple.
>>
>> -=-=-
>> gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
>> technical lead, its storage, stanford university
>>
>> > -----Original Message-----
>> > From: Patrick van Helden [mailto:pvh@...
>> <mailto:pvh@...>]
>> > Sent: Wednesday, January 30, 2008 8:24 AM
>> > To: Carl Howell; Villabroza, Gerald
>> > Cc: toasters@... <mailto:toasters@...>
>> > Subject: RE: NetApp & Leopard
>> >
>> > Hi Guys,
>> >
>> > Why don't you guys use a 3rd party client like "Dave" or "Admitmac"
>> > from Thursby?
>> >
>> > Admitmac even has Windows DFS support
>> >
>> > Regards,
>> >
>> > Patrick van Helden
>> > Databasement BV
>> > pvh@... <mailto:pvh@...>
>> >
>> >
>> >
>> > -----Oorspronkelijk bericht-----
>> > Van: owner-toasters@...
>> <mailto:owner-toasters@...> namens Carl Howell
>> > Verzonden: wo 1/30/2008 15:56
>> > Aan: geraldv@... <mailto:geraldv@...>
>> > CC: toasters@... <mailto:toasters@...>
>> > Onderwerp: RE: NetApp & Leopard
>> >
>> > Gerald,
>> >
>> > Thanks for the feedback, and yes, feel free to reference us.
>> >
>> > --Carl
>> >
>> > -----Original Message-----
>> > From: Villabroza, Gerald [mailto:geraldv@...
>> <mailto:geraldv@...>]
>> > Sent: Wednesday, January 30, 2008 8:49 AM
>> > To: Carl Howell
>> > Cc: toasters@... <mailto:toasters@...>
>> > Subject: Re: NetApp & Leopard
>> >
>> > Carl,
>> >
>> > We're experiencing the same issue when accessing DOT 7.2.2 CIFS
>> in Win
>> > 2k3 AD with OS X 10.5.1.
>> >
>> > We've opened a case with Apple and here's what they came back with:
>> >
>> > #####
>> > When a Leopard client opens a session, it sends three mechanisms in
>> > this
>> >
>> > order, KRB5, some OID I don't what it is, and MS KRB5. The filer
>> > returns an unsupported error.
>> >
>> > Apple thinks DOT is just bailing on the first unsupported mechanism
>> and
>> > not checking the whole list. Tiger only sent the MS KRB5
>> mechanism so
>> > that is why it works.
>> >
>> > Apple is working on building a test of their kerberos library that
>> puts
>> > MS KRB5 as the first mechanism to validate the hypothesis.
>> > #####
>> >
>> > Leopard can authenticate via K5 against MS WIN 2k3 systems fine
>> in our
>> > environment, just not against DOT.
>> >
>> > Luckily Apple and NetApp are both TSAnet members and can
> collaborate
>> on
>> > the support case.
>> >
>> > Do you mind if reference your experience at UWF with NetApp and
>> Apple?
>> > And if you don't, do you have a case # with NetApp?
>> >
>> > Its interesting to hear of other hi-ed's with this issue. Any
> others
>> > out there? Like other issues in our space it helps to band
> together.
>> >
>> > -=-=-
>> > gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
>> > technical lead, its storage, stanford university
>> >
>> >
>> > Carl Howell wrote:
>> > > I've stumbled across a problem we're having accessing filer
> hosted
>> > CIFS
>> > > shares from Mac OS X Leopard 10.5.1. The Leopard boxes I've tried
>> > this
>> > > on are all bound to our Win2k3 Active Directory. If you log into
>> > Leopard
>> > > with your domain credentials and try to access a share on a
>> > filer(this
>> > > happens on all of our filers and all are at 7.x and above), you
>> will
>> > be
>> > > prompted for your password. If you try to access the same CIFS
>> share
>> > > hosted on a Win2k3 box, you will get right in.
>> > >
>> > >
>> > >
>> > > Has anyone else seen this?
>> > >
>> > >
>> > >
>> > > Thanks,
>> > >
>> > >
>> > >
>> > > --Carl
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> >
>>
>>
>>
>>
>>
>> --
>> Barry King
>> barryking93@... <mailto:barryking93@...>
>
to how ONTAP deals with Kerberos auth.
See: (http://now.netapp.com/NOW/download/software/ontap/7.2.4P9/)
To be fair, ONTAP works just fine with Leopard in many cases, just not
when MIT Kerberos 5 and NTLMv2 are the only two allowed CIFS
authentication protocols. Environments with weaker security (NTLMv1)
are fine. Tiger works because it sent MS Kerberos first, which ONTAP
knows how to deal with.
Anyone planning on deploying 7.2.4p9? I am, but I've missed my change
window and may have to wait until after mid June (University finals and
graduation time).
-=-=-
gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
technical lead, its storage, stanford university
Carl Howell wrote:
> Gerald,
>
>
>
> Thanks for staying on top of this. Burt 283117 is exactly what we’re
> experiencing.
>
>
>
> Vaughn, we run a standard Windows 2003 Active Directory. I’ve tested
> this against every filer we have, and it always behaves the same. If I
> recreate one of the shares we have on a filer on a Windows 2003 box, I
> can log right in using Leopard.
>
>
>
> To be fair, this appears to be more a Leopard+Kerberos issue than a
> problem with OnTap.
>
>
>
> --Carl
>
>
>
>
>
> *From:* owner-toasters@...
> [mailto:owner-toasters@...] *On Behalf Of *Vaughn Stewart
> *Sent:* Sunday, April 06, 2008 3:49 PM
> *To:* geraldv@...; Barry King
> *Cc:* toasters@...
> *Subject:* Re: NetApp & Leopard
>
>
>
> I run 10.5.2 with CIFS on Data ONTap without any issue. I would want to
> know more about the client’s environment before I pointed the finger @
> NetApp.
>
> Cheers,
>
> Vaughn Stewart | Virtualization Evangelist
>
>
> ------------------------------------------------------------------------
>
> *From: *"Villabroza, Gerald" <geraldv@...>
> *Organization: *Stanford University
> *Reply-To: *<geraldv@...>
> *Date: *Sat, 05 Apr 2008 10:56:25 -0700
> *To: *Barry King <barryking93@...>
> *Cc: *<toasters@...>
> *Subject: *Re: NetApp & Leopard
>
> back on the Leopard and Data ONTAP CIFS train:
>
> As some of us have found, 10.5.2 doesn't play nice with ONTAP cifs.
>
> NetApp has created a BURT:
>
> http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=283117
> <http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=283117>
>
> Its classified as a severity 3 (serious inconvenience) because there's a
> work around by passing credentials over NTLM after kerberos fails.
>
> The workaround fails in our environment. We think its because NTLM
> works but we disallow NTLM and only allow kerberos or NTLMv2.
>
> We've heard that the issue is scheduled to be fixed in 7.2.6 slated for
> October.
>
> If you have similar issues or if you'd like it fixed earlier, please
> open a case and reference the BURT. The more customers that report the
> problem gives them a bigger reason to release a fix sooner.
>
> -=-=-
> gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
> technical lead, its storage, stanford university
>
> Barry King wrote:
>> At least in my environment, this now partially works in 10.5.2. Based
>> on my experimentation: What works is doing a "Go -> Connect to Server"
>> and punching in cifs://netapp. What doesn't is trying to browse to it
>> over the network. I'm not sure why one works and the other doesn't.
>>
>> Regards,
>>
>> Barry King
>>
>> On Fri, Feb 8, 2008 at 2:53 PM, Villabroza, Gerald <geraldv@...
>> <mailto:geraldv@...>> wrote:
>>
>> Patrick,
>>
>> Tough to mandate dave or admitmac in a diverse higher education
>> environment. 100's of macs show up after the Christmas holidays and
>> they all expect to use university resources immediately.
>>
>> Carl,
>>
>> Our understanding from Apple is that the next Leopard update, 10.52,
>> will address the CIFS access issue. It's in a testing phase now
> but not
>> available to folks external to Apple.
>>
>> -=-=-
>> gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
>> technical lead, its storage, stanford university
>>
>> > -----Original Message-----
>> > From: Patrick van Helden [mailto:pvh@...
>> <mailto:pvh@...>]
>> > Sent: Wednesday, January 30, 2008 8:24 AM
>> > To: Carl Howell; Villabroza, Gerald
>> > Cc: toasters@... <mailto:toasters@...>
>> > Subject: RE: NetApp & Leopard
>> >
>> > Hi Guys,
>> >
>> > Why don't you guys use a 3rd party client like "Dave" or "Admitmac"
>> > from Thursby?
>> >
>> > Admitmac even has Windows DFS support
>> >
>> > Regards,
>> >
>> > Patrick van Helden
>> > Databasement BV
>> > pvh@... <mailto:pvh@...>
>> >
>> >
>> >
>> > -----Oorspronkelijk bericht-----
>> > Van: owner-toasters@...
>> <mailto:owner-toasters@...> namens Carl Howell
>> > Verzonden: wo 1/30/2008 15:56
>> > Aan: geraldv@... <mailto:geraldv@...>
>> > CC: toasters@... <mailto:toasters@...>
>> > Onderwerp: RE: NetApp & Leopard
>> >
>> > Gerald,
>> >
>> > Thanks for the feedback, and yes, feel free to reference us.
>> >
>> > --Carl
>> >
>> > -----Original Message-----
>> > From: Villabroza, Gerald [mailto:geraldv@...
>> <mailto:geraldv@...>]
>> > Sent: Wednesday, January 30, 2008 8:49 AM
>> > To: Carl Howell
>> > Cc: toasters@... <mailto:toasters@...>
>> > Subject: Re: NetApp & Leopard
>> >
>> > Carl,
>> >
>> > We're experiencing the same issue when accessing DOT 7.2.2 CIFS
>> in Win
>> > 2k3 AD with OS X 10.5.1.
>> >
>> > We've opened a case with Apple and here's what they came back with:
>> >
>> > #####
>> > When a Leopard client opens a session, it sends three mechanisms in
>> > this
>> >
>> > order, KRB5, some OID I don't what it is, and MS KRB5. The filer
>> > returns an unsupported error.
>> >
>> > Apple thinks DOT is just bailing on the first unsupported mechanism
>> and
>> > not checking the whole list. Tiger only sent the MS KRB5
>> mechanism so
>> > that is why it works.
>> >
>> > Apple is working on building a test of their kerberos library that
>> puts
>> > MS KRB5 as the first mechanism to validate the hypothesis.
>> > #####
>> >
>> > Leopard can authenticate via K5 against MS WIN 2k3 systems fine
>> in our
>> > environment, just not against DOT.
>> >
>> > Luckily Apple and NetApp are both TSAnet members and can
> collaborate
>> on
>> > the support case.
>> >
>> > Do you mind if reference your experience at UWF with NetApp and
>> Apple?
>> > And if you don't, do you have a case # with NetApp?
>> >
>> > Its interesting to hear of other hi-ed's with this issue. Any
> others
>> > out there? Like other issues in our space it helps to band
> together.
>> >
>> > -=-=-
>> > gerald villabroza <geraldv at stanford.edu <http://stanford.edu>>
>> > technical lead, its storage, stanford university
>> >
>> >
>> > Carl Howell wrote:
>> > > I've stumbled across a problem we're having accessing filer
> hosted
>> > CIFS
>> > > shares from Mac OS X Leopard 10.5.1. The Leopard boxes I've tried
>> > this
>> > > on are all bound to our Win2k3 Active Directory. If you log into
>> > Leopard
>> > > with your domain credentials and try to access a share on a
>> > filer(this
>> > > happens on all of our filers and all are at 7.x and above), you
>> will
>> > be
>> > > prompted for your password. If you try to access the same CIFS
>> share
>> > > hosted on a Win2k3 box, you will get right in.
>> > >
>> > >
>> > >
>> > > Has anyone else seen this?
>> > >
>> > >
>> > >
>> > > Thanks,
>> > >
>> > >
>> > >
>> > > --Carl
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> >
>>
>>
>>
>>
>>
>> --
>> Barry King
>> barryking93@... <mailto:barryking93@...>
>
« Return to Thread: NetApp & Leopard
| Free embeddable forum powered by Nabble | Forum Help |
