[OpenIndiana-discuss] cifs/server Kerberos support

Lionel Cons lionelcons1972 at gmail.com
Thu Apr 28 23:45:49 UTC 2016


On 29 April 2016 at 00:22, Ray Van Dolson <rvandolson at esri.com> wrote:
> On Thu, Apr 28, 2016 at 11:43:48PM +0200, Lionel Cons wrote:
>> On 28 April 2016 at 23:24, Ray Van Dolson <rvandolson at esri.com> wrote:
>> > Hi, everyone -- this is OT as it's Nexenta related, but figured you
>> > folks here would know the answer.  Also have a question out to Nexenta
>> > support as well.
>> >
>> > We're trying to get MSA's (Managed Service Accounts) to talk to a CIFS
>> > share on a Nexenta 3.1.6 system.  I *believe* MSA's require Kerberos,
>> > and it doesn't appear the cifs/smb service on our 3.1.6 box supports
>> > Kerberos authentication, though it is AD joined.
>> >
>> > Can anyone confirm?
>>
>> What will not work because Illumos krb5 is outdated. For AD
>> interoperability you need at least to update Illumos krb5 to MIT krb5
>> 1.12 or better, or you have sporadic outages.
>> Given that Illumos krb5 is heavily modified and has kernel-based add
>> ons its nearly impossible to do except for one of the original SUN
>> engineers who have intimate knowledge of the krb5 update process.
>>
>> Lionel
>
> Thanks.  Could explain why when we add SPNs, Windows clients trying to
> access via the SPN alias fail, but Samba still succeeds.  Perhaps the
> latter is falling back to some other authenticaiton mechanism that
> Windows isn't trusting.  Possibly due to Extended Security not being
> supported?

Dunno, but note that SAMBA usually relies on Heimdal Kerberos and not
on the MIT Kerberos. Problem with Solaris krb5 is that it lacks a lot
of error checking and AD interoperability changes since MIT krb5 1.6

Lionel



More information about the openindiana-discuss mailing list