Kerberos using JAAS and SMB protocol
- The Kerberos negotiation and the SMB negotiation are separate. There is no (reasonable) way for the KDC to know the version of SMB used by either the SMB client or server. At most the KDC can make a reasonable guess as to the service/protocol being accessed/used (
cifs/server.example.com
vs nfs/server.example.com
vs HTTP/server.example.com
. host/server.example.com
overloaded, but tends to only be a few things, none of them SMB, that's the cifs one), but that's really about it.
- N/A
- Don't use old key types, though that's more of a general kerberos rule. (The AES ones should be enough, though I tend to also keep the camellia varieties around.) Not sure what JAAS uses by default, but it's probably worth checking you're not still using DES/3DES/RC4.