Nathaniel W. Turner
2019-Nov-15 17:23 UTC
[Samba] Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
Hi all. I?m trying to understand a weird authentication failure: I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest, with a bidirectional forest trust. The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is running a recent build from git master (f38077ea5ee). When I test authentication of users in each domain by running ntlm_auth on the samba server, it is successful for users in either domain. When I try to connect from a Windows client in TC84 using SMB, it is only successful for users in the TC83 domain. For users in the TC84 domain, smbd seems to go off the rails looking for a Kerberos machine principal in the TC84 domain, even though it is not a member of that domain (it's a member of TC83, which trusts TC84): Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996, 1, pid=15209, effective(0, 0), real(0, 0)] ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token) Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] Why is smbd looking for a principal of the form "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"? n [See https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ for full logs and smb.conf]
banda bassotti
2019-Nov-15 19:20 UTC
[Samba] Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
Hi, please run the command: klist -ek /etc/krb5.keytab and post the output along with the file smb.conf. how do you access your share? \\kvm7246-vm022.maas.local\\ <https://lists.samba.org/mailman/listinfo/samba>sharename" or something like that? bb. Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba < samba at lists.samba.org> ha scritto:> Hi all. I?m trying to understand a weird authentication failure: > > I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest, > with a bidirectional forest trust. > The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is > running a recent build from git master (f38077ea5ee). > > When I test authentication of users in each domain by running ntlm_auth on > the samba server, it is successful for users in either domain. > > When I try to connect from a Windows client in TC84 using SMB, it is only > successful for users in the TC83 domain. For users in the TC84 domain, smbd > seems to go off the rails looking for a Kerberos machine principal in the > TC84 domain, even though it is not a member of that domain (it's a member > of TC83, which trusts TC84): > > Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996, 1, > pid=15209, effective(0, 0), real(0, 0)] > ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token) > Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: gss_accept_sec_context failed > with [ Miscellaneous failure (see text): Failed to find > cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab > MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] > > Why is smbd looking for a principal of the form > "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"? > > n > > [See > https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ > for > full logs and smb.conf] > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Nathaniel W. Turner
2019-Nov-15 20:02 UTC
[Samba] Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
Here's the keytab info: ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) 12 host/KVM7246-VM022 at TC83.LOCAL (etype 3) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac) 12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac) 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1) 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3) 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac) 12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac) 12 KVM7246-VM022$@TC83.LOCAL (etype 1) 12 KVM7246-VM022$@TC83.LOCAL (etype 3) 12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac) The client is a Windows box, and I'm running this command: net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator I see the same behavior when I use smbclient: smbclient //kvm7246-vm022.maas.local/test -U administrator at tc84.local On Fri, Nov 15, 2019 at 2:20 PM banda bassotti <bandabasotti at gmail.com> wrote:> Hi, please run the command: > > klist -ek /etc/krb5.keytab and post the output along with the file > smb.conf. > how do you access your share? > > \\kvm7246-vm022.maas.local\\ > <https://lists.samba.org/mailman/listinfo/samba>sharename" > > or something like that? > > bb. > > > > Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba < > samba at lists.samba.org> ha scritto: > >> Hi all. I?m trying to understand a weird authentication failure: >> >> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest, >> with a bidirectional forest trust. >> The samba server kvm7246-vm022.maas.local is a domain member of TC83 and >> is >> running a recent build from git master (f38077ea5ee). >> >> When I test authentication of users in each domain by running ntlm_auth on >> the samba server, it is successful for users in either domain. >> >> When I try to connect from a Windows client in TC84 using SMB, it is only >> successful for users in the TC83 domain. For users in the TC84 domain, >> smbd >> seems to go off the rails looking for a Kerberos machine principal in the >> TC84 domain, even though it is not a member of that domain (it's a member >> of TC83, which trusts TC84): >> >> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996, >> 1, >> pid=15209, effective(0, 0), real(0, 0)] >> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token) >> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: gss_accept_sec_context failed >> with [ Miscellaneous failure (see text): Failed to find >> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab >> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] >> >> Why is smbd looking for a principal of the form >> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"? >> >> n >> >> [See >> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ >> for >> full logs and smb.conf] >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Maybe Matching Threads
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
- AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?