> On May 31, 2016, at 11:33 AM, Steven Ford <sford...@ibbr.umd.edu> wrote: > > Hello, > > I have two Omnios storage servers, a primary and a backup. Users authenticate > via Active Directory. > > Since updating to r151018, kerberos seems to be a little pickier when > allowing clients to connect. Before, if my secondary took over the primary's > IP, connections made with the primary's domain name to the secondary came > through fine. Now, they are rejected with the following error: > > smbd: krb5ssp: gss_accept_sec_context, mech=0xfcaa0160, major=0x70000, > minor=0x25ea101 > smbd: krb5: No principal in keytab matches desired name > > Rejecting requests addressed to domain names that are not its own seems like > the proper thing to do, so I'm curious if anybody else is using Omnios as a > backup server meant to operate in the primary's place. > > Should I somehow configure them to have the same kerberos keys? Is there a > way to dumb down kerberos to behave like it used to? Would it be a bad idea > to dumb down kerberos in this way?
Generally, yes, both servers should probably have identical keytabs which contain each other's specific principals, since one is expected to act like the other at some point (ie, in a failover scenario) ... if I'm understanding your situation correctly. /dale
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
