Modifying the CIFS server Kerberos security settings
You can modify certain CIFS server Kerberos security settings, including the maximum allowed Kerberos clock slew time, the Kerberos ticket lifetime, and the maximum number of ticket renewal days.
About this task
Modifying CIFS server Kerberos settings by using the vserver cifs security modify command modifies the settings only on the single storage virtual machine (SVM) that you specify with the -vserver parameter. You can centrally manage Kerberos security settings for all SVMs on the cluster belonging to the same Active Directory domain by using Active Directory group policy objects (GPOs).
- Perform one or more of the following actions:
If you want to... Enter... Specify the maximum allowed Kerberos clock skew time in minutes vserver cifs security modify -vserver vserver_name -kerberos-clock-skew integer_in_minutes The default setting is 5 minutes.
Specify the Kerberos ticket lifetime in hours vserver cifs security modify -vserver vserver_name -kerberos-ticket-age integer_in_hours The default setting is 10 hours.
Specify the maximum number of ticket renewal days vserver cifs security modify -vserver vserver_name -kerberos-renew-age integer_in_days The default setting is 7 days.
Specify the timeout for sockets on KDCs after which all KDCs are marked as unreachable vserver cifs security modify -vserver vserver_name -kerberos-kdc-timeout integer_in_seconds The default setting is 3 seconds.
- Verify the Kerberos security settings: vserver cifs security show -vserver vserver_name
Example
The following example makes the following changes to Kerberos security: Kerberos Clock Skew is set to 3 minutes and Kerberos Ticket Age is set to 8 hours for SVM vs1:
cluster1::> vserver cifs security modify -vserver vs1 -kerberos-clock-skew 3 -kerberos-ticket-age 8
cluster1::> vserver cifs security show -vserver vs1
Vserver: vs1
Kerberos Clock Skew: 3 minutes
Kerberos Ticket Age: 8 hours
Kerberos Renewal Age: 7 days
Kerberos KDC Timeout: 3 seconds
Is Signing Required: false
Is Password Complexity Required: true
Use start_tls For AD LDAP connection: false
Is AES Encryption Enabled: false
LM Compatibility Level: lm-ntlm-ntlmv2-krb
Is SMB Encryption Required: false