[OpenIndiana-discuss] cifs/server Kerberos support
Lionel Cons
lionelcons1972 at gmail.com
Thu Apr 28 23:45:49 UTC 2016
On 29 April 2016 at 00:22, Ray Van Dolson <rvandolson at esri.com> wrote:
> On Thu, Apr 28, 2016 at 11:43:48PM +0200, Lionel Cons wrote:
>> On 28 April 2016 at 23:24, Ray Van Dolson <rvandolson at esri.com> wrote:
>> > Hi, everyone -- this is OT as it's Nexenta related, but figured you
>> > folks here would know the answer. Also have a question out to Nexenta
>> > support as well.
>> >
>> > We're trying to get MSA's (Managed Service Accounts) to talk to a CIFS
>> > share on a Nexenta 3.1.6 system. I *believe* MSA's require Kerberos,
>> > and it doesn't appear the cifs/smb service on our 3.1.6 box supports
>> > Kerberos authentication, though it is AD joined.
>> >
>> > Can anyone confirm?
>>
>> What will not work because Illumos krb5 is outdated. For AD
>> interoperability you need at least to update Illumos krb5 to MIT krb5
>> 1.12 or better, or you have sporadic outages.
>> Given that Illumos krb5 is heavily modified and has kernel-based add
>> ons its nearly impossible to do except for one of the original SUN
>> engineers who have intimate knowledge of the krb5 update process.
>>
>> Lionel
>
> Thanks. Could explain why when we add SPNs, Windows clients trying to
> access via the SPN alias fail, but Samba still succeeds. Perhaps the
> latter is falling back to some other authenticaiton mechanism that
> Windows isn't trusting. Possibly due to Extended Security not being
> supported?
Dunno, but note that SAMBA usually relies on Heimdal Kerberos and not
on the MIT Kerberos. Problem with Solaris krb5 is that it lacks a lot
of error checking and AD interoperability changes since MIT krb5 1.6
Lionel
More information about the openindiana-discuss
mailing list