Centrify DirectControl, Centrify Identity Service, Mac Edition
KB-0455: Does Centrify requires SMB signing off on Windows File Share Servers?
Applies to: Centrify DirectControl running on Mac OS X 10.4.x and 10.5.2.
Question: Does Centrify require SMB signing off on Windows File Share Servers?
If shares are being mounted from Windows File Share servers since the Apple SMB client does not support SMB signing and the Windows 2003 DC's and Windows File Share servers by default have signing on, these shares cannot be accessed.
In order to access these shares make sure the following policy is “disabled” under both Default Domain Security Settings, Default Domain Controller Security Settings:
a. Default Domain Controller Security Settings -> Security Settings -> Local Policies -> Security Options -> Microsoft network server: Digitally sign communications(always)
b. Default Domain Security Settings -> Security Settings -> Local Policies -> Security Options -> Microsoft network server: Digitally sign communications(always)
Another question may arise, how does Centrify DirectControl applies group policies as it has to fetch via smb the group policies from sysvol?
Answer is Centrify DirectControl installs and uses it’s own smb client to retrieve the policies from the Domain Controllers. This client, adsmb (see the man page for more info), will communicate properly with a Windows 2003 domain controller where signed and authenticated access is required. You do not need to allow non-signed communication if all you need is Group Policy. As stated above, you will need to turn off the requirement for signed communication if you want to access shares located on Windows Servers.