Hi,

Why Access usually breaks with krb only:

• Kerberos relies on DNS and SPNs: If CIFS clients connect using an IP address or a name without a proper DNS PTR record, Kerberos cannot validate the SPN, and authentication fails. NTLM works in these cases, which is why reverting to ntlmv2-krb restores access.

• Dynamic DNS updates: ONTAP does not create DNS entries by default unless dynamic DNS is enabled. Without these, Kerberos tickets cannot be issued correctly.

• AES encryption negotiation: ONTAP supports AES-128 and AES-256 for Kerberos, but the client determines the algorithm. Ensure AES is enabled on the CIFS server (is-aes-encryption-enabled true).

• Windows Group Policy: Kerberos-only environments often require GPO adjustments to enforce Kerberos and SMB signing/encryption.

I would first verify the following :

• Aes is enabled:

vserver cifs security modify -vserver <SVM> -lm-compatibility-level krb \

-kerberos-clock-skew 5 -kerberos-ticket-age 10 \

-kerberos-renew-age 7 -kerberos-kdc-timeout 3 \

-is-aes-encryption-enabled true

• Verify DNS: Ensure forward and reverse DNS records exist for the CIFS server name.

• SPNs: Confirm SPNs for CIFS are registered in AD (e.g., HOST/cifs-server.domain).

Hope that Help

David