CIFS, not showing security properties

Answered Question
May 19th, 2010
User Badges:

When attempting to view the security properties of a remote share we get an error message that says, "Unable to display security information".  This happens when bringing up a remote server via UNC path, right clicking on a share or folder, and selecting the security tab.  This only happens when viewing them through an optimized connection.  If the domain admin remotes directly to that server, or another server at the same location, they are able to browse the properties fine.


We're using 4.1.3 and have disabled legacy WAFS services.  All of our CIFS traffic is going through the CIFS accelerator.  Couple of questions:


-Isn't the CIFS accelerator supposed to be transparent and pass this information along?

-Do the WAE's still need to be joined to the domain?  I though this was a legacy WAFS function

-I did packet captures on both ends of the connection (and on the WAE) but didn't see anything obvious in the way of errors, any specific thing I can look for?


Thanks!

Correct Answer by Zach Seils about 7 years 5 days ago

In the failed trace, note that the NT Security Descriptor Length in frame 392 is 0, whereas in the working trace it is >0.  This looks like bug CSCtg28040, which is fixed in the WAAS 4.1.5f release.  Can you confirm that you have installed Microsoft patch MS10-020 (KB980232)?


Thanks again for the traces.


Regards,

Zach

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Zach Seils Wed, 05/19/2010 - 11:38
User Badges:
  • Cisco Employee,

There is metadata caching that occurs which may be the issue.  What type of server/OS is the remote share being hosted on?  Can you provide packet captures with and without WAAS?


Thanks,

Zach



PS - There is no longer a need to have the WAEs join the Windows domain.

bakinbits Wed, 05/19/2010 - 12:26
User Badges:

All of the servers are Win2k3 standard.  "hqmon1-pass" is a local server and "laprint01-fail" is the remote server.  I pulled up the security tab at packet 277 on the passed attempt and 370 on the failed one.


The difference seems to be that the client (10.101.132.80) doesn't perform a lsa_openpolicy request to the target server.

Zach Seils Wed, 05/19/2010 - 13:20
User Badges:
  • Cisco Employee,

Thanks.


Where were the packet captures taken?


Zach

Correct Answer
Zach Seils Thu, 05/20/2010 - 06:43
User Badges:
  • Cisco Employee,

In the failed trace, note that the NT Security Descriptor Length in frame 392 is 0, whereas in the working trace it is >0.  This looks like bug CSCtg28040, which is fixed in the WAAS 4.1.5f release.  Can you confirm that you have installed Microsoft patch MS10-020 (KB980232)?


Thanks again for the traces.


Regards,

Zach

bakinbits Thu, 05/20/2010 - 13:03
User Badges:

Ahh, good find.  Thanks for your help.  The upgrade fixed the issue.


Thanks again!

Actions

This Discussion