> On 14. Feb 2025, at 01:50, NoSense via illumos-discuss
> <discuss@lists.illumos.org> wrote:
>
> I have a long running OmniOS SMB server currently running r151052 AD
> integrated and working fine on NTLMv2. As all other devices are off NTLM
> except this server, I have attempted to convert it over to Kerberos. I didn't
> even see any options in napp-it and so I used the OmniOS guide which
> indicates it is possible and works. Specifically, I followed this OmniOS
> guide Active Directory Integration and enabled Kerberos AES for all the
> accounts and get a Kerberos Session and Ticket showing AES, BUT the SMB
> server still uses NTLM, and disabling NTLM support from the Windows side
> kills all SMB access to the OmniOS server. What am I missing to get OmniOS to
> do Kerberos only SMB SSO, or at least prefer Kerberos over NTLM?
>
> #klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: *admin account*@*domain*.NET
>
> Valid starting Expires Service principal
> 10/02/2025 15:04 11/02/2025 01:04 krbtgt/*domain*@*domain*.NET
> renew until 17/02/2025 15:04, Etype(skey, tkt): AES-256 CTS mode with 96-bit
> SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
> illumos <https://illumos.topicbox.com/latest> / illumos-discuss / see
> discussions <https://illumos.topicbox.com/groups/discuss> + participants
> <https://illumos.topicbox.com/groups/discuss/members> + delivery options
> <https://illumos.topicbox.com/groups/discuss/subscription>Permalink
> <https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-M7ec4c7ec9b722d4d98cd8cb8>
You would need domain mode setup:
/*
* In workgroup mode, skip Kerberos.
*/
rgds,
toomas
------------------------------------------
illumos: illumos-discuss
Permalink:
https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-M5aa6cd586b30eb7c66361d66
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
