Hello, everyone!
Do you know how to solve the authentication fails when a Windows client accesses a CIFS share because the Kerberos authentication ticket is cached? Don't worry, the post will share with you how to solve it.
Symptoms
Use Huawei OceanStor V3 to completely replace the peer vendor's storage. Configure the service IP address of the peer vendor's storage to V3, remove the peer vendor's storage from the AD domain, and use the same machine account to add the peer vendor's storage to the same AD domain. In the preceding scenario, when the Windows client uses the \\domain name mode to mount the CIFS share of the migrated V3 storage, the authentication may fail, as shown in the following figure.
Cause
When a Windows client and storage device are added to the same AD domain and \\domain name is used to access a CIFS share, Kerberos authentication is performed. During Kerberos authentication, the Windows client requests an authentication ticket from the AD domain controller. The ticket is encrypted by the password of the storage device. Then, the Windows client sends the ticket to the storage system for authentication. The storage system uses its own machine password to decrypt the ticket. After the verification is successful, Windows successfully accesses the storage CIFS share. In this case, the client caches the Kerberos authentication ticket.
Before the migration, the client caches the Kerberos authentication tickets required by the competitor's storage when mounting the competitor's storage. After the migration, when accessing V3 storage, the client uses the Kerberos ticket cached on the competitor's storage to authenticate the V3 storage because the domain names are the same before and after the migration. However, the V3 storage fails to decrypt the ticket because the passwords of the V3 storage and the competitor's storage in the AD domain are different, as a result, the authentication fails.
Analysis
If the CIFS fails to be accessed using the domain name \\, enter klist in the cmd.exe window to check whether the Windows client caches the Kerberos authentication ticket. If the following information is displayed, the client caches the Kerberos authentication ticket. In this case, the problem occurs.
Solution
To solve this problem, run the klist purge command in the cmd.exe window of the Windows client to clear the ticket cache on the client. Then, access the CIFS.
This is my solution, how about yours? Go ahead and share it with us!
