Prerequisite for configuring Kerberos-based SMB access

The following requirements must be met to configure IBM Storage Scale for Kerberized SMB access:

  • The time must be synchronized across the KDC server, the IBM Storage Scale cluster protocol nodes, and the SMB clients, or else access to an SMB share could be denied.
  • In MIT KDC configurations for the SMB services, the service principal name must use the NetBIOS name and the realm name. For example, if the NetBIOS name is FOO and the realm is KDC.COM, the service principal name should be cifs/foo@KDC.COM. The NetBIOS name is the value specified for the option --netbios_name in the mmuserauth command. The realm may be discovered from the value stored for Alt_Name returned from the command: wbinfo -D <domain>.
  • The clients should use only the NetBIOS name when accessing an SMB share. Using any other name or IP address might either cause a failure to connect or fallback to NTLM authentication.
  • With Active Directory KDC, you can use DNS alias (CNAME) for Kerberized SMB access. To use the alias, you must register the DNS alias (CNAME) record for the NetBIOS name (system account name) using the SetSPN tool available on Active Directory server. For example, if the NetBIOS name is FOO and the DNS alias is BAR, use the SetSPN tool from the command prompt of the Active Directory server to register the record, "setspn -A cifs/BAR FOO". Not registering the DNS alias record for the NetBIOS name might cause access to the SMB shares to be denied with the error code, KDC_ERR_S_SPRINCIPAL_UNKNOWN. 
  • On Linux® clients, to use Kerberized SMB access for IBM Storage Scale configured with MIT KDC, you must at least have the 3.5.9 version of Samba client installed. The Linux clients having an older Samba client might encounter the following error, while trying to access SMB shares: 
    ads_krb5_mk_req: krb5_get_credentials failed for foo$@KDC.COM (Server not found in Kerberos database)
 cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in Kerberos database
    To determine if a client has authenticated via Kerberos, either verify at the client or collect a protocol trace: 
    mmprotocoltrace start smb -c x.x.x.x

    Replace x.x.x.x with the IP address of the client system access IBM Storage Scale to be verified.

    Access the IBM Storage Scale SMB service from that client.

    Then, issue the command:
    mmprotocoltrace stop smb

    Extract the compressed trace files and look for the file ending with smbd.log. If that file contains an entry similar to "Kerberos ticket principal name is..." then Kerberos is being used.

    Note: It is not recommended to run for extended periods of time at log levels higher than 1 as this could impact performance.