[OpenIndiana-discuss] cifs/server Kerberos support

Ray Van Dolson rvandolson at esri.com
Thu Apr 28 22:22:09 UTC 2016


On Thu, Apr 28, 2016 at 11:43:48PM +0200, Lionel Cons wrote:
> On 28 April 2016 at 23:24, Ray Van Dolson <rvandolson at esri.com> wrote:
> > Hi, everyone -- this is OT as it's Nexenta related, but figured you
> > folks here would know the answer.  Also have a question out to Nexenta
> > support as well.
> >
> > We're trying to get MSA's (Managed Service Accounts) to talk to a CIFS
> > share on a Nexenta 3.1.6 system.  I *believe* MSA's require Kerberos,
> > and it doesn't appear the cifs/smb service on our 3.1.6 box supports
> > Kerberos authentication, though it is AD joined.
> >
> > Can anyone confirm?
> 
> What will not work because Illumos krb5 is outdated. For AD
> interoperability you need at least to update Illumos krb5 to MIT krb5
> 1.12 or better, or you have sporadic outages.
> Given that Illumos krb5 is heavily modified and has kernel-based add
> ons its nearly impossible to do except for one of the original SUN
> engineers who have intimate knowledge of the krb5 update process.
> 
> Lionel

Thanks.  Could explain why when we add SPNs, Windows clients trying to
access via the SPN alias fail, but Samba still succeeds.  Perhaps the
latter is falling back to some other authenticaiton mechanism that
Windows isn't trusting.  Possibly due to Extended Security not being
supported?

Ray



More information about the openindiana-discuss mailing list