I'm finding this a little odd as kinit seems to find the kdc okay, just
smbclient fails.
host -t srv _kerberos._udp.lan resolves okay too. Could it be that my realm is
simply LAN and dns suffix is lan be an issue? This is just a test set up in
virtual box for a writeup I'm doing, hence the nonstandard suffixes.
Kevin Ratcliffe
Sent from [ProtonMail](https://protonmail.ch)
-------- Original Message --------
Subject: Re: [Samba] smbclient and Kerberos
Local Time: 4 November 2016 9:11 PM
UTC Time: 4 November 2016 21:11
From: mike at datacontrolsystems.com
To: Kevr <kevr at protonmail.com>
samba at lists.samba.org
The defaults for dns_lookup_realm and dns_lookup_kdc should be false and true
respectively, but the samba team recommends using them explicitly, so that's
what I do. My /etc/krb5.conf file doesn't include any of the stock lines
included with the package from Ubuntu (which I believe is based on the MIT
version of kerberos). My file includes the four lines in the previous message
and only those four lines. Maybe something in the stock file causes the problem
you're seeing.?
Mike E.
On Fri, Nov 4, 2016 at 5:01 PM, Kevr <kevr at protonmail.com> wrote:
Hmmmm. I'm using the stock krb5.conf installed by apt-get. So basically all
I have is the default_realm set to my realm in [libdefaults]. I was under the
impression that dns_lookup_kdc was true by default. Am I wrong?
Kevin Ratcliffe
Sent from [ProtonMail](https://protonmail.ch)
-------- Original Message --------
Subject: Re: [Samba] smbclient and Kerberos
Local Time: 4 November 2016 8:48 PM
UTC Time: 4 November 2016 20:48
From: samba at lists.samba.org
To: Kevr <kevr at protonmail.com>
samba at lists.samba.org <samba at lists.samba.org>
Mine seem to work fine also using Ubuntu 16.04.1 on the servers and a
separate workstation client. My /etc/krb5.conf files on the servers and
clients are all simply:
[libdefaults]
default_realm = REALM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Mike E.
On Fri, Nov 4, 2016 at 4:10 PM, Kevr via samba <samba at lists.samba.org>
wrote:
> Hi All
>
> Is this behaviour expected in smbclient:
>
> I have a kerberized Samba server and a share that works as expected on
> desktop clients, but when I use smbclient with a valid ticket with the -k
> flag I get a KDC lookup failure
>
> kev at client:/home/testuser$ smbclient -k -L //fileserver
> gss_init_sec_context failed with [ Miscellaneous failure (see text):
> unable to reach any KDC in realm LAN]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
> I've noticed that if I configure the KDC server in the [realm] section
of
> my /etc/krb5.conf everything works fine.
>
> Does smbclient not use the DNS for KDC lookup?
>
> I am using version Version 4.3.11-Ubuntu on Ubuntu 16.04.1
>
> Thanks
>
>
>
> Kevin Ratcliffe
>
> Sent from [ProtonMail](https://protonmail.ch)
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba