On 29 April 2016 at 00:22, Ray Van Dolson <rvandol...@esri.com> wrote: > On Thu, Apr 28, 2016 at 11:43:48PM +0200, Lionel Cons wrote: >> On 28 April 2016 at 23:24, Ray Van Dolson <rvandol...@esri.com> wrote: >> > Hi, everyone -- this is OT as it's Nexenta related, but figured you >> > folks here would know the answer. Also have a question out to Nexenta >> > support as well. >> > >> > We're trying to get MSA's (Managed Service Accounts) to talk to a CIFS >> > share on a Nexenta 3.1.6 system. I *believe* MSA's require Kerberos, >> > and it doesn't appear the cifs/smb service on our 3.1.6 box supports >> > Kerberos authentication, though it is AD joined. >> > >> > Can anyone confirm? >> >> What will not work because Illumos krb5 is outdated. For AD >> interoperability you need at least to update Illumos krb5 to MIT krb5 >> 1.12 or better, or you have sporadic outages. >> Given that Illumos krb5 is heavily modified and has kernel-based add >> ons its nearly impossible to do except for one of the original SUN >> engineers who have intimate knowledge of the krb5 update process. >> >> Lionel > > Thanks. Could explain why when we add SPNs, Windows clients trying to > access via the SPN alias fail, but Samba still succeeds. Perhaps the > latter is falling back to some other authenticaiton mechanism that > Windows isn't trusting. Possibly due to Extended Security not being > supported?
Dunno, but note that SAMBA usually relies on Heimdal Kerberos and not on the MIT Kerberos. Problem with Solaris krb5 is that it lacks a lot of error checking and AD interoperability changes since MIT krb5 1.6 Lionel _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
