[OmniOS-discuss] Backup CIFS Server
Dale Ghent
daleg at omniti.com
Tue May 31 16:21:02 UTC 2016
> On May 31, 2016, at 11:33 AM, Steven Ford <sford123 at ibbr.umd.edu> wrote:
>
> Hello,
>
> I have two Omnios storage servers, a primary and a backup. Users authenticate via Active Directory.
>
> Since updating to r151018, kerberos seems to be a little pickier when allowing clients to connect. Before, if my secondary took over the primary's IP, connections made with the primary's domain name to the secondary came through fine. Now, they are rejected with the following error:
>
> smbd: krb5ssp: gss_accept_sec_context, mech=0xfcaa0160, major=0x70000, minor=0x25ea101
> smbd: krb5: No principal in keytab matches desired name
>
> Rejecting requests addressed to domain names that are not its own seems like the proper thing to do, so I'm curious if anybody else is using Omnios as a backup server meant to operate in the primary's place.
>
> Should I somehow configure them to have the same kerberos keys? Is there a way to dumb down kerberos to behave like it used to? Would it be a bad idea to dumb down kerberos in this way?
Generally, yes, both servers should probably have identical keytabs which contain each other's specific principals, since one is expected to act like the other at some point (ie, in a failover scenario) ... if I'm understanding your situation correctly.
/dale
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://omniosce.org/ml-archive/attachments/20160531/889d7c43/attachment.bin>
More information about the OmniOS-discuss
mailing list