ONTAP 9 Manuals ( CA08871-402 )

Modify the CIFS server Kerberos security settings

You can modify certain CIFS server Kerberos security settings, including the maximum allowed Kerberos clock skew time, the Kerberos ticket lifetime, and the maximum number of ticket renewal days.

About this task

Modifying CIFS server Kerberos settings by using the vserver cifs security modify command modifies the settings only on the single storage virtual machine (SVM) that you specify with the -vserver parameter. You can centrally manage Kerberos security settings for all SVMs on the cluster belonging to the same Active Directory domain by using Active Directory group policy objects (GPOs).

Steps
  1. Perform one or more of the following actions:

    If you want to…​

    Enter…​

    Specify the maximum allowed Kerberos clock skew time in minutes (9.13.1 and later) or seconds (9.12.1 or earlier).

    vserver cifs security modify -vserver vserver_name -kerberos-clock-skew integer_in_minutes

    The default setting is 5 minutes.

    Specify the Kerberos ticket lifetime in hours.

    vserver cifs security modify -vserver vserver_name -kerberos-ticket-age integer_in_hours

    The default setting is 10 hours.

    Specify the maximum number of ticket renewal days.

    vserver cifs security modify -vserver vserver_name -kerberos-renew-age integer_in_days

    The default setting is 7 days.

    Specify the timeout for sockets on KDCs after which all KDCs are marked as unreachable.

    vserver cifs security modify -vserver vserver_name -kerberos-kdc-timeout integer_in_seconds

    The default setting is 3 seconds.

  2. Verify the Kerberos security settings:

    vserver cifs security show -vserver vserver_name

Example

The following example makes the following changes to Kerberos security: “Kerberos Clock Skew” is set to 3 minutes and “Kerberos Ticket Age” is set to 8 hours for SVM vs1:

cluster1::> vserver cifs security modify -vserver vs1 -kerberos-clock-skew 3 -kerberos-ticket-age 8

cluster1::> vserver cifs security show -vserver vs1

Vserver: vs1

                    Kerberos Clock Skew:                   3 minutes
                    Kerberos Ticket Age:                   8 hours
                   Kerberos Renewal Age:                   7 days
                   Kerberos KDC Timeout:                   3 seconds
                    Is Signing Required:               false
        Is Password Complexity Required:                true
   Use start_tls For AD LDAP connection:               false
              Is AES Encryption Enabled:               false
                 LM Compatibility Level:  lm-ntlm-ntlmv2-krb
             Is SMB Encryption Required:               false
Top of Page