Prerequisite for configuring Kerberos-based SMB access

The following requirements must be met to configure IBM Spectrum Scale™ for Kerberized SMB access:

  • The time must be synchronized across the KDC server, the IBM Spectrum Scale cluster, and the SMB clients, or else access to an SMB share could be denied.
  • In MIT KDC configurations for the SMB services, the service principal name must use the NetBIOS name and the realm name. For example, if the NetBIOS name is FOO and the realm is KDC.COM, the service principal name should be cifs/foo@KDC.COM. The NetBIOS name is the value specified for the option --netbios_name in the mmuserauth command. The realm may be discovered from the value stored for Alt_Name returned from the command: wbinfo -D <domain>.
  • The clients should use only the NetBIOS name when accessing an SMB share. Using any other name or IP address might either cause a failure to connect or fallback to NTLM authentication.
  • With Active Directory KDC, you can use DNS alias (CNAME) for Kerberized SMB access. To use the alias, you must register the DNS alias (CNAME) record for the NetBIOS name (system account name) using the SetSPN tool available on Active Directory server. For example, if the NetBIOS name is FOO and the DNS alias is BAR, use the SetSPN tool from the command prompt of the Active Directory server to register the record, "setspn -A cifs/BAR FOO". Not registering the DNS alias record for the NetBIOS name might cause access to the SMB shares to be denied with the error code, KDC_ERR_S_SPRINCIPAL_UNKNOWN. 
  • On Linux clients, to use Kerberized SMB access for IBM Spectrum Scale configured with MIT KDC, you must at least have the 3.5.9 version of Samba client installed. The Linux clients having an older Samba client might encounter the following error, while trying to access SMB shares: 
    ads_krb5_mk_req: krb5_get_credentials failed for foo$@KDC.COM (Server not found in Kerberos database)
 cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in Kerberos database

    To determine if a client has authenticated via Kerberos, either verify at the client or look for the following in the /var/adm/ras/log.smbd log file on IBM Spectrum Scale. 

    The Kerberos ticket principal name is [<username>@domain].

    Note that Samba log level must be set to at least 3 for the authentication to be logged. 

    To adjust the Samba log level, issue the command: 

    /usr/lpp/mmfs/bin/net conf setparm global 'log level' 3
    Note: It is not recommended to run for extended periods of time at log levels higher than 1 as this could impact performance.
Parent topic: AD-based authentication for file access