How to configure CIFS for AD auth and SMB2

I am trying to configure CIFS on an OES2015 SP1 server to use third party authentication - specifically to authenticate against our AD domain. I also want to use the SMB2 Dialect (protocol); not the older NT dialect. In iManager when I go to the CIFS authentication tab and try to put in the AD PDC's name and IP address it tells me "The parameters to CIFS_SetServerConfiguration are not valid for this server type". This error is listed in the Misc section of the troubleshooting docs for CIFS and it says:

If SMB2 is the current dialect, iManager plug-in prevents changing the authentication mode from 'Local' to 'Domain (Passthru)'. It throws the error message, "The parameters to CIFS_SetServerConfiguration are not valid for this server type".

So how do I set up CIFS so that it uses SMB2 for better security and yet authenticates users against AD? What am I missing?

Thanks,

Dan
  • Hello Dan,

    please have a look at the documentation of OES2015SP1 especially the
    "NSS AD Deployment and Administration Guide" (stor_nss_ad_lx.pdf, the
    chapters 1 to 3). I am not able to tell the short story but you should
    not try to configure the PDC's name in the CIFS-config of iManager.
    You should configure CIFS in iManager just for eDirectory, install the
    NSS AD Support software (from the OES2015SP1-DVD or any other
    repository) and then after all prerequisites are met join the OES-Server
    to the AD domain.

    Regards

    Burkhard Wiegand
    OES-Admin
    Debeka-Versicherungen
  • Burkhard, thanks for the reply. I did look at that documentation and am in fact setting up NSS AD on the server now as an alternative to CIFS. It looked to me like I could use either or both approaches. You feel that the NSS AD support is the preferred approach because it uses kerberos for authentication?

    BTW, the docs say that for NSS AD support you have to have CIFS installed and working. Is it just necessary to have it installed on the server but not configured for authentication? See page 14 under section 2.2 in the column for "Installing NS AD post OES Server installation", where it says "Ensure that the the Novell CIFS service that AD users will access is configured and operational on the OES server."

    How should it be configured then if I can't use SMB2 and AD authentication???

    Thanks,

    Dan
  • Hello Dan,

    so far accounts (untill OES11 SP3) for accessing oes-nss-volumes via
    CIFS had to reside in edirectory. Configuring CIFS allows eDirecetory
    users access to oes-nss-volumes without having a novell-client installed
    on their clients. So "Ensure that the Novell CIFS service
    that AD users will access is configured and operational on the OES
    server." means that you should configure CIFS that eDir users are able
    to access oes-nss-volumes as a neccessary test that CIFS is working
    before you go on installing and configuring NSS-AD support.
    The new "thing" of NSS-AD support in OES2015 is that now MS Active
    Directory users can be taken to allow access to oes-nss-volumes. With
    OES11 this was not possible.

    Regards Burkhard
  • OK, so I try to configure CIFS to use the SMB2 protocol and third party authentication but it won't let me. Why not?

    Dan
  • Or are you saying that even though CIFS says it supports third party authentication, what I should do is make it authenticate against eDirectory before installing OES2015 SP1 NSS AD integration?

    Dan
  • Hello Dan,

    so far i have never dealed with third-party-authentication in iManager
    (and it is not neccessary to set up for NSS-AD-Integration). It should
    be possible for an edir-User to access the server via CIFS (as a first
    test for CIFS) and then installing the OES-NSS-AD-Integration.

    Regards Burkhard