Configuring Kerberos for ExtremeZ-IP Network Reshare
In order for Mac users using Kerberos to access SMB/CIFS reshares through ExtremeZ-IP delegation must be enabled in Active Directory. If your environment requires Kerberos authentication, you will need to update the Active Directory computer object for any Windows servers that are running ExtremeZ-IP. The ExtremeZ-IP server must be given permission to present delegated credentials to the SMB server on behalf of your users.
NOTE: When you set up a user’s profile Home folder in Windows Active Directory and Users, you need to use the server’s domain name (of the EZ-IP server domain) instead of its ip address in order for the network Home directories to work with Kerberos for Mac OS 10.6 clients.
- In Active Directory Users and Computers, locate the Windows server or servers that you have ExtremeZ-IP installed on. They are commonly in the Computers folder.
- Open the Properties window for the ExtremeZ-IP server and select the Delegation tab.
- Select “Trust this computer for delegation to specified services only”.
- Select “Use any authentication protocol”, this is required for negotiation with the SMB server.
- You must now add any Windows servers or NAS devices that you would like your users to be able to access through reshare. Click Add… to search for these Windows computers in AD and add them. For each, you will need to select the “cifs” service type only.
Note: It may take 15 to 20 minutes for these changes to propagate through the Active Directory forest.