1. Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x
  2. Appliance Services
  3. Configuring Services
  4. Active Directory Configuration
  5. Active Directory Windows Support

Active Directory Windows Support

Active Directory Windows Server Support

Oracle ZFS Storage Appliance software version OS8.8.x supports all Active Directory server versions.

Active Directory Windows Client Support

Starting with Windows 10, clients can enable Kerberos authentication with IP address-based Service Principal Names (SPNs) by creating a TryIPSPN registry entry. For more information, see Configuring Kerberos for IP Addresses. However, Oracle ZFS Storage Appliance does not support IP address-based SPNs.

Like Windows, Oracle ZFS Storage Appliance does not register IP address-based SPNs as part of the AD domain join. Microsoft notes the following potential issues with IP address-based SPNs: IP addresses are not normally used in place of hostnames because IP addresses are often temporary. Using IP addresses can lead to conflicts and authentication failures as address leases expire and renew. Therefore, registering an IP address-based SPN is a manual process and should only be used when it is not possible to switch to a DNS-based hostname.

When the TryIPSPN registry setting is enabled, Windows 10 clients can continue to access SMB shares exported by the appliance via NTLMSSP. If the domain administrator has manually added cifs\appliance-IP-address SPNs to the ServicePrincipalName attribute of the AD computer object of the appliance, Windows KDC will be able to issue CIFS service tickets for the appliance using IP address-based SPNs. However, if the client subsequently presents a CIFS service ticket that uses IP address-based SPNs to access SMB resources on the appliance, the appliance Kerberos subsystem will reject the security context due to the lack of support for IP address-based SPNs. As a result, debug.sys will contain the following notice-level messages: 

krbssp: user authentication failed (GSS major error): No credentials were
supplied, or the credentials were unavailable or inaccessible
krbssp: user authentication failed (GSS minor error): No principal in keytab
('FILE:/var/krb5/krb5.keytab') matches desired name cifs/appliance-IP-address@AD-realm

To avoid this issue, do not publish IP-address-based SPNs to an AD server.

Related Topics