Hi All Is this behaviour expected in smbclient: I have a kerberized Samba server and a share that works as expected on desktop clients, but when I use smbclient with a valid ticket with the -k flag I get a KDC lookup failure kev at client:/home/testuser$ smbclient -k -L //fileserver gss_init_sec_context failed with [ Miscellaneous failure (see text): unable to reach any KDC in realm LAN] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR I've noticed that if I configure the KDC server in the [realm] section of my /etc/krb5.conf everything works fine. Does smbclient not use the DNS for KDC lookup? I am using version Version 4.3.11-Ubuntu on Ubuntu 16.04.1 Thanks Kevin Ratcliffe Sent from [ProtonMail](https://protonmail.ch)
Data Control Systems - Mike Elkevizth
2016-Nov-04 20:48 UTC
[Samba] smbclient and Kerberos
Mine seem to work fine also using Ubuntu 16.04.1 on the servers and a separate workstation client. My /etc/krb5.conf files on the servers and clients are all simply: [libdefaults] default_realm = REALM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true Mike E. On Fri, Nov 4, 2016 at 4:10 PM, Kevr via samba <samba at lists.samba.org> wrote:> Hi All > > Is this behaviour expected in smbclient: > > I have a kerberized Samba server and a share that works as expected on > desktop clients, but when I use smbclient with a valid ticket with the -k > flag I get a KDC lookup failure > > kev at client:/home/testuser$ smbclient -k -L //fileserver > gss_init_sec_context failed with [ Miscellaneous failure (see text): > unable to reach any KDC in realm LAN] > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR > session setup failed: NT_STATUS_INTERNAL_ERROR > > I've noticed that if I configure the KDC server in the [realm] section of > my /etc/krb5.conf everything works fine. > > Does smbclient not use the DNS for KDC lookup? > > I am using version Version 4.3.11-Ubuntu on Ubuntu 16.04.1 > > Thanks > > > > Kevin Ratcliffe > > Sent from [ProtonMail](https://protonmail.ch) > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-Nov-04 21:11 UTC
[Samba] smbclient and Kerberos
The defaults for dns_lookup_realm and dns_lookup_kdc should be false and true respectively, but the samba team recommends using them explicitly, so that's what I do. My /etc/krb5.conf file doesn't include any of the stock lines included with the package from Ubuntu (which I believe is based on the MIT version of kerberos). My file includes the four lines in the previous message and only those four lines. Maybe something in the stock file causes the problem you're seeing.? Mike E. On Fri, Nov 4, 2016 at 5:01 PM, Kevr <kevr at protonmail.com> wrote:> Hmmmm. I'm using the stock krb5.conf installed by apt-get. So basically > all I have is the default_realm set to my realm in [libdefaults]. I was > under the impression that dns_lookup_kdc was true by default. Am I wrong? > > Kevin Ratcliffe > > Sent from ProtonMail <https://protonmail.ch> > > > -------- Original Message -------- > Subject: Re: [Samba] smbclient and Kerberos > Local Time: 4 November 2016 8:48 PM > UTC Time: 4 November 2016 20:48 > From: samba at lists.samba.org > To: Kevr <kevr at protonmail.com> > samba at lists.samba.org <samba at lists.samba.org> > > Mine seem to work fine also using Ubuntu 16.04.1 on the servers and a > separate workstation client. My /etc/krb5.conf files on the servers and > clients are all simply: > > [libdefaults] > default_realm = REALM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > Mike E. > > > On Fri, Nov 4, 2016 at 4:10 PM, Kevr via samba <samba at lists.samba.org> > wrote: > > > Hi All > > > > Is this behaviour expected in smbclient: > > > > I have a kerberized Samba server and a share that works as expected on > > desktop clients, but when I use smbclient with a valid ticket with the -k > > flag I get a KDC lookup failure > > > > kev at client:/home/testuser$ smbclient -k -L //fileserver > > gss_init_sec_context failed with [ Miscellaneous failure (see text): > > unable to reach any KDC in realm LAN] > > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR > > session setup failed: NT_STATUS_INTERNAL_ERROR > > > > I've noticed that if I configure the KDC server in the [realm] section of > > my /etc/krb5.conf everything works fine. > > > > Does smbclient not use the DNS for KDC lookup? > > > > I am using version Version 4.3.11-Ubuntu on Ubuntu 16.04.1 > > > > Thanks > > > > > > > > Kevin Ratcliffe > > > > Sent from [ProtonMail](https://protonmail.ch) > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > >
I'm finding this a little odd as kinit seems to find the kdc okay, just smbclient fails. host -t srv _kerberos._udp.lan resolves okay too. Could it be that my realm is simply LAN and dns suffix is lan be an issue? This is just a test set up in virtual box for a writeup I'm doing, hence the nonstandard suffixes. Kevin Ratcliffe Sent from [ProtonMail](https://protonmail.ch) -------- Original Message -------- Subject: Re: [Samba] smbclient and Kerberos Local Time: 4 November 2016 9:11 PM UTC Time: 4 November 2016 21:11 From: mike at datacontrolsystems.com To: Kevr <kevr at protonmail.com> samba at lists.samba.org The defaults for dns_lookup_realm and dns_lookup_kdc should be false and true respectively, but the samba team recommends using them explicitly, so that's what I do. My /etc/krb5.conf file doesn't include any of the stock lines included with the package from Ubuntu (which I believe is based on the MIT version of kerberos). My file includes the four lines in the previous message and only those four lines. Maybe something in the stock file causes the problem you're seeing.? Mike E. On Fri, Nov 4, 2016 at 5:01 PM, Kevr <kevr at protonmail.com> wrote: Hmmmm. I'm using the stock krb5.conf installed by apt-get. So basically all I have is the default_realm set to my realm in [libdefaults]. I was under the impression that dns_lookup_kdc was true by default. Am I wrong? Kevin Ratcliffe Sent from [ProtonMail](https://protonmail.ch) -------- Original Message -------- Subject: Re: [Samba] smbclient and Kerberos Local Time: 4 November 2016 8:48 PM UTC Time: 4 November 2016 20:48 From: samba at lists.samba.org To: Kevr <kevr at protonmail.com> samba at lists.samba.org <samba at lists.samba.org> Mine seem to work fine also using Ubuntu 16.04.1 on the servers and a separate workstation client. My /etc/krb5.conf files on the servers and clients are all simply: [libdefaults] default_realm = REALM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true Mike E. On Fri, Nov 4, 2016 at 4:10 PM, Kevr via samba <samba at lists.samba.org> wrote:> Hi All > > Is this behaviour expected in smbclient: > > I have a kerberized Samba server and a share that works as expected on > desktop clients, but when I use smbclient with a valid ticket with the -k > flag I get a KDC lookup failure > > kev at client:/home/testuser$ smbclient -k -L //fileserver > gss_init_sec_context failed with [ Miscellaneous failure (see text): > unable to reach any KDC in realm LAN] > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR > session setup failed: NT_STATUS_INTERNAL_ERROR > > I've noticed that if I configure the KDC server in the [realm] section of > my /etc/krb5.conf everything works fine. > > Does smbclient not use the DNS for KDC lookup? > > I am using version Version 4.3.11-Ubuntu on Ubuntu 16.04.1 > > Thanks > > > > Kevin Ratcliffe > > Sent from [ProtonMail](https://protonmail.ch) > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba