Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-0455: Does Centrify requires SMB signing off on Windows File Share Servers?

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:12 AM

Applies to: Centrify DirectControl running on Mac OS X 10.4.x and 10.5.2.

Question: Does Centrify require SMB signing off on Windows File Share Servers?

Answer:

If shares are being mounted from Windows File Share servers since the Apple SMB client does not support SMB signing and the Windows 2003 DC's and Windows File Share servers by default have signing on, these shares cannot be accessed.

In order to access these shares make sure the following policy is “disabled” under both Default Domain Security Settings, Default Domain Controller Security Settings:

a. Default Domain Controller Security Settings -> Security Settings -> Local Policies -> Security Options -> Microsoft network server: Digitally sign communications(always)

b. Default Domain Security Settings -> Security Settings -> Local Policies -> Security Options -> Microsoft network server: Digitally sign communications(always)

Another question may arise, how does Centrify DirectControl applies group policies as it has to fetch via smb the group policies from sysvol?

Answer is Centrify DirectControl installs and uses it’s own smb client to retrieve the policies from the Domain Controllers. This client, adsmb (see the man page for more info), will communicate properly with a Windows 2003 domain controller where signed and authenticated access is required. You do not need to allow non-signed communication if all you need is Group Policy. As stated above, you will need to turn off the requirement for signed communication if you want to access shares located on Windows Servers.


 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.