Greetings, We have a fleet of OmniOS fileservers, all running omnios-r151054-c46864d3fe. They are used as NFS or SMB file servers or to test things before going to production. Note the file servers are only NFS _or_ SMB. We do not combine them on the same box.
They all get their LDAP/Kerberos info from active directory on a pair of Windows Server 2025 systems. We use this for SMB sharing and to allow the few admins to use kerberos to auth for ssh. There are no end-user logins on the hosts. The hosts are joined with 'smbadm join' - see below for details. We are seeing hits for "LogName = 'Microsoft-Windows-NTLM/Operational' Id = 4023" in the AD server logs and would like to squash that problem. These hits show up for all 5 of the hosts, though only one is currently active as an SMB server. I have verified that the two test hosts are showing up in the log but have no clients connected to them. Currently we join them to the domain using sudo svcadm refresh ntp sudo svcadm enable -r smb/server sudo sharectl set -p max_workers=2048 smb sudo sharectl set -p lmauth_level=5 smb (was =4 until recently) sudo sharectl set -p ipv6_enable=true smb sudo smbadm join -u domain_admin_account doma.in.name followed by a few idmap settings sudo svccfg -s svc:/system/idmap setprop config/directory_based_mapping=astring: idmu sudo svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: \ sAMAccountName sudo svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: \ sAMAccountName sudo svcadm refresh svc:/system/idmap sudo idmap add -d "winuser:*@*" "unixuser:*" sudo idmap add -d "wingroup:*@*" "unixgroup:*" Here's the list of sharectl smb settings: system_comment= max_workers=2048 netbios_enable=false netbios_scope= lmauth_level=5 keep_alive=0 wins_server_1= wins_server_2= wins_exclude= signing_enabled=true signing_required=true restrict_anonymous=false pdc= ads_site= ddns_enable=false autohome_map=/etc ipv6_enable=true print_enable=false traverse_mounts=true map= unmap= disposition= min_protocol=2.1 max_protocol= encrypt=disabled encrypt_ciphers= bypass_traverse_checking=true oplock_enable=true short_names=false Are there any suggestions on how I can force all lookups to be Kerberos instead of NTLM? thanks nomad p.s. I only work in this lab M, Tu, and W so if I'm slow to reply that's why. -- CHSCC - work days are Monday, Tuesday, and Wednesday. ------------------------------------------ illumos: illumos-discuss Permalink: https://illumos.topicbox.com/groups/discuss/Tb6621f45cbba2aa0-M2791c6a4c0d321b27dcc5061 Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
