与服务器2016/Win10和2012R2 Hyper-V群集不兼容(AOS:v4.7.1)

  • 2017年4月11日
  • 3个答复
  • 1028意见
C
徽章“title= +5
AOS:v4.7.1
服务器平台:多个Hyper-V(2012 R2)簇

看来,如果您将属于服务器2016或Windows 10计算机的IP白名单,该机器仍然无法访问我们的Nutanix(v4.7.1)簇发布的SMB共享。

在将SCVMM服务器升级到服务器2016之后,我们发现了这一点。此时,VMM服务器可以“看到”共享,但无法计算共享大小(报告0GB),因此无法管理共享(S)。从那时起,我们已经使用了其他多家2016和Windows 10机器进行了测试 - 所有结果都具有相同的结果:添加到白名单中,但也无法浏览该共享,即使是从Windows Explorer中也无法浏览。

我们正在寻找确认这是一个已知问题。
如果是这样,您可以确认是否通过升级到v5.0.2解决?
\nServer Platform: Multiple Hyper-V (2012 r2) clusters
\n
\nIt appears that if you whitelist an IP that belongs to either a Server 2016 or a Windows 10 machine, that machine still can not access the SMB share being published by our Nutanix (v4.7.1) clusters.
\n
\nWe found this out after upgrading our SCVMM server to Server 2016. At this point, the VMM server can 'see' the shares but can not calculate share size (reports 0GB) and therefore can't manage the share(s). Since then we've tested with multiple other 2016 and Windows 10 machines - all with the same result: added to the whitelist but can't browse the share, even from Windows Explorer.
\n
\nWe are looking for confirmation that this is a known issue.
\nIf so, can you confirm if it's resolved by an upgrade to v5.0.2?","quoteUsername":"Coleman","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

3个答复

一个
徽章“title= +9
你好,

这很可能是由于Microsoft在Windows 10 / Server 2016中对SMB进行了硬化。
最有可能是由于以下内容:
3.1。删除需要定位环境
在以前的SMB版本中,我们介绍了“安全谈判”,SMB客户端和服务器验证了SMB协商请求和响应消息的完整性。
由于SMB的某些第三方实施未正确执行此谈判,因此我们引入了一个开关以禁用“安全谈判”。我们在此更详细地解释这一点博客文章
由于我们已经通过SMB插件了解到第三方已修复了实施方法,因此我们正在删除绕过“安全谈判”的选项,如果连接方言为2.x.x或3.0.x.,SMB总是执行协商验证。
注1:对于SMB 3.1.1客户端和服务器,新的预验证完整性功能(上面的第2.1项中描述)取代具有许多优势的“安全谈判”。
注2:随着新版本,任何未实现“安全谈判”的第三方SMB 2.x.x或SMB 3.0.X实现都将无法连接到Windows。
注3:虽然此更改改善了整体安全性,但它可能会干扰一些依赖SMB网络流量的解决方案,例如某些WAN加速器。”

我认为您不在当前的Nutanix设置中运行Kerberos身份验证吗?
有很多方法可以解决这个问题,我已经看到了NetApp申报者,但无法为Nutanix回答。我想推荐的方法是实际实现Kerberos身份验证部分,因为这也使存储访问周围的安全性硬化。

亲切的问候
\n
\nThis is likely due to hardening done to SMB in Windows 10 \/ Server 2016 by Microsoft.
\nMost likely it's due to the following:
\n
\"3.1. Removing RequireSecureNegotiate setting<\/i>
\nIn previous versions of SMB, we introduced \u201cSecure Negotiate\u201d, where the SMB client and server verify integrity of the SMB negotiate request and response messages.<\/i>
\nBecause some third-party implementations of SMB did not correctly perform this negotiation, we introduced a switch to disable \u201cSecure Negotiate\u201d. We explain this in more detail in this blog post<\/a>.<\/i>
\nSince we have learned via our SMB PlugFests that third parties have fixed their implementations, we are removing the option to bypass \u201cSecure Negotiate\u201d and SMB always performs negotiate validation if the connection\u2019s dialect is 2.x.x or 3.0.x.<\/i>
\nNote 1: For SMB 3.1.1 clients and servers, the new Pre-Authentication Integrity feature (described in item 2.1 above) supersedes \u201cSecure Negotiate\u201d with many advantages.<\/i>
\nNote 2: With the new release, any third party SMB 2.x.x or SMB 3.0.x implementations that do not implement \u201cSecure Negotiate\u201d will be unable to connect to Windows.<\/i>
\nNote 3: While this change improves overall security, it might interfere with some solutions that rely on modifying SMB network traffic, like certain kinds of WAN accelerators.\"<\/i>
\n
\nI take it that you do not run Kerberos Authentication in the current Nutanix Setup?<\/i>
\nThere are have been ways to go around this, I've seen it in case of NetApp Filers but can not answer for Nutanix. I would guess the recommended method is to actually implement the Kerberos Authentication part as that also hardens the security around the Storage Access.<\/i>
\n
\nKind Regards<\/i>
\n<\/blockquote>","quoteUsername":"Aanuka","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
阿卢西亚尼“> </div> <div class=
UserLevel 7
徽章“title= +34
感谢您与社区分享Aanuka

这有帮助科尔曼

- 如果您发现答案有帮助,请考虑单击“接受为解决方案”按钮。将答复标记为接受的解决方案,有助于我们的社区确定解决用户问题的内容。
在Twitter上关注我:https://twitter.com/angeloluciani
r
秩“> </div></a> </div> <div class= 徽章“title= +1
Aanuka在正确的轨道上,我们的SMB协议堆栈仅支持SMB 3.0。Windows 10和Windows 2016使用SMB 3.1.1。

解决此问题的一种方法是在Nutanix群集上启用Kerberos。我将打开一张支持票,以帮助您启用Kerberos。
Aanuka<\/a> is on the right track, Our SMB protocol stack only supports SMB 3.0. Windows 10 and Windows 2016 use SMB 3.1.1.
\n
\nOne way to get around this would be to enable Kerberos on the Nutanix cluster. I would open a support ticket to assist you with enabling Kerberos.","quoteUsername":"rcrickon","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

回复


Baidu