We are using JAAS for Kerberos authentication. As a requirement from the customer, we want to make sure that SMB V2 or higher must be used during communication with KDC/AD.

I've few basic questions related to this. Please excuse me if I sound too naive.

  1. Does SMB protocol come really into picture while using Kerberos authentication and credential delegation (esp with JAAS)?
  2. If yes, then is there any way we can identify which SMB version is being used? For eg- may be monitoring network traffic?
  3. Best practice to implement Kerberos + SMB? Any thoughts on latest JCIFS (available on GIT) libraries?

Any pointers are highly appreciated ! Thanks,

1 Answers1

  1. The Kerberos negotiation and the SMB negotiation are separate. There is no (reasonable) way for the KDC to know the version of SMB used by either the SMB client or server. At most the KDC can make a reasonable guess as to the service/protocol being accessed/used (cifs/server.example.com vs nfs/server.example.com vs HTTP/server.example.com. host/server.example.com overloaded, but tends to only be a few things, none of them SMB, that's the cifs one), but that's really about it.
  2. N/A
  3. Don't use old key types, though that's more of a general kerberos rule. (The AES ones should be enough, though I tend to also keep the camellia varieties around.) Not sure what JAAS uses by default, but it's probably worth checking you're not still using DES/3DES/RC4.
  • 12,698
  • 6
  • 43
  • 75
  • Thanks ! yes, I also cross checked that disabling SMB1 on both client and server has no affect on Kerberos authentication. It works. To add further, NTLM (with JCIFS older version) fails if SMB1 is disabled. They claim that this issue is addressed in latest JCIFS version, but I see there is no active development going on. – Bhushan Karmarkar Jan 14 '21 at 08:22
  • About the keys - yes AES can be used but I think it requires special setting on the service account in AD. For AES 256, java unlimited strength policy jars are must. – Bhushan Karmarkar Jan 14 '21 at 08:25