Thomas, thanks for the ideas. Yes, sync and npt are running and all systems in the network are using the same local ntp server which is sync'd externally.
Yes, NTLM is blocked on the DC only but not on the workstation that was accessing the SMB server in the network trace above. This is to force the SMB server to use Kerberos for authentication since I can't seem to disable NTLM on the SMB server. This in turn forces the workstation to ramp up to Kerberos from NTLM as seen in the negotiation with the SMB server. That all seems to go well and they both agree to use Kerberos. As for the login @REALM issue, this is a login on windows machine (not Android) with a domain account. no matter which syntax you login with the SAMAccountName is always what is presented to the SMB server. Right now, I think the issue might be that none of the AD users have individually defined rights to the file shares. They are all defined by AD Groups the user belongs to. Howerver, idmap dump -n shows the GIDs for all the wingroups and works perfectly when using NTLMv2. Is the Kerberos lookup failing the group lookup and denying access to the resource? Under Kerberos is it not able to figure that out? How do I get more detailed logs on the SMB server side? So close but not quite there! ------------------------------------------ illumos: illumos-discuss Permalink: https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-M800f241f508720b9bc725bb2 Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
