My suggestion would be to open a ticket with our support centre for this query, as it may require more in-depth troubleshooting than would be normal for a message forum like this, it may also involve using and analysing packet captures from the systems, which most customers aren't fans of sharing publicly.
So When you change the LM Compatibility Level" to krb only then only kerberos authentication is accepted by SVM.
So if client connects to SVM selecting NTLM authentication then SVM will fail the request.
I dont think the issue is because or the user account rather i think the client is trying to use NTLM authentication when connecting to SVM. Since KRB is the only authentication allowed , client fails to connect.
Wheneven client connects to SVM using IP address , only NTLM authentication will happen. So if LM Compatibility Level" to krb only then those client connections will fail.
If the issue is seen with VSCAN user account , then it could be because of VSCAN connection is not configured for Kerberos.
For Kerberos authentication to work for the AV communication, create a DNS entry[HOST(A) record] for the data LIF used for VSCAN connection and a service principal name[ use setspn -s to add SPN entry] on the DC corresponding to the DNS entry created for the data LIF. Use this name when adding a LIF to the AV Connector. The DNS should be able to return a unique name for each data LIF connected to the AV Connector.
::> vserver vscan scanner-pool create -vserver svm1 -scanner-pool vijay_pool1 -hostnames xx.xx.xx.xx -privileged-users firstname.lastname@example.org Error: command failed: The privileged user name "email@example.com" is invalid. A valid privileged user name must be in the form "domain-name\user-name".
But i dont think we need to add anywhere in the format user@domain. With domain\user Kerberos works well. kerberos is possible if SPN is present for the host principal.
If i have a packet trace i can say why NTLM is selected over Kerberos.
I would recommend to open a support case to check if the VSCAN LIF's are properly configured with SPN's added for it so that VSCAN can connect to SVM using Kerberos authentication.
My problem was: After I had set LM Compatibility Level to krb only (and restartet the CFIS SVM), I can't longer login using "DOMAIN\USER" at all. Only logins with an valid kerberos ticket are working. Direct logins at the CIFS SVM using "domain\user" won't work. But logins using the UPN are working.
Sorry, I can't cross check this for now, because the CIFS SVM must restarted for this configuration change.
With ntlmv2-krb, I can login using DOMAIN\USER an I get the auth-mechanism kerberos.
Checked using "vserver cifs session show -vserver my_cifs_server -fields auth-mechanism,netbios-name,address"