OmniOS, napp-it, RC4 NTLM and Kerberos

[nosense]

I have a long running OmniOS SMB server currently running r151052 working fine on NTLMv2. As all other devices are off NTLM except this server, I have attempted to convert it over to Kerberos. I didn't even see any options in napp-it and so I used the OmniOS guide which indicates it is possible and works. Specifically, I followed this OmniOS guide Active Directory Integration and enabled Kerberos AES for all the accounts and get a Kerberos Session and Ticket showing AES, BUT the SMB server still uses NTLM, and disabling NTLM support from the Windows side kills all SMB access to the OmniOS server. What am I missing to get OmniOS to do Kerberos only SMB SSO, or at least prefer Kerberos over NTLM?

#klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: *admin account*@*domain*.NET

Valid starting Expires Service principal
10/02/2025 15:04 11/02/2025 01:04 krbtgt/*domain*@*domain*.NET
renew until 17/02/2025 15:04, Etype(skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC

 

[gea]

To join an AD Domain, use menu Services > SMB > Active Directory
see

Topicbox

 

[nosense]

gea, yes that is what I did way back when and it is still in effect, and it does authenticate and get a Kerberos ticket, namely the one listed in the original post. However, it also creates an NTLM session, and it is that session which seems to override Kerberos access. I apologize if it wasn't clear that I already had AD integration via NTLM. The question is how to transition to Kerberos.

 

[gea]

you may ask at Topicbox

 

[nosense]

I have looked deeper at the traffic between the workstation and the OmniOS SMB server and I get the following:



where the last line above final response details from the OmniOS SMB server is shown below




Any ideas as to why the SMB server just ghosts the session is appreciated.