#ONTAP 7-mode 8.2 CIFS after Netlogon CVE-2022-38023 July hardening

1 messages · Page 1 of 1 (latest)

lean oyster
#

Hello! We have one stubborn customer sitting on 7-mode 8.2 with CIFS and SMB. They already have issues after upgrading domain to functional level 2019 but they want to stick to old hardware and OS. Will their CIFS just stop working after July DC patches or there is some workaround?

toxic bane
lean oyster
toxic bane
#

That's how I read it.

lean oyster
stoic folio
#

My read is that in enforcement stage, that workaround stops working, so they’re just buying themselves a few weeks

#

We should clarify that page..

toxic bane
#

mmm... you could be correct on that based on a few other things I am reading.. you have time to submit?

#

if not i can.

stoic folio
#

I've submitted feedback on that article

#

7-mode is toast unless you're doing block or non-AD-kerberos NFS

#

it's been 9 years. Time to give it up.

toxic bane
lean oyster
strong heath
#

My impression (oh hi @stoic folio ) is that running 8.2.5P5 with options cifs.netlogon.secure_channel.enable on will still work with AD kerberos. only NTLM will stop working (as I found today when not using the correct domain name). but yes, don't tell your customer that

stoic folio
#

👋

#

I’ve done some more reading and we think you’re right, but it’s a low confidence understanding

#

The comment was that 7-mode auth is totally insecure anyway, so it’s allowed by a different set of config

strong heath
#

meanwhile, time to delete some volumes that have snapvault lag times of over 2000 days

#

one is nearly at 3000 days

strong heath
cobalt vigil
#

yes the RC4 has been a showstopper for 7mode for a while. But it's easy to work around. The NTLM change cannot be worked around

strong heath
#

gah, rc4 was briefly disabled and it worked for a bit but now I'm getting kerberos etype errors