Nathaniel W. Turner
2019-Nov-15 16:49 UTC
[Samba] Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
I?m trying to understand a weird authentication failure: I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest, with a bidirectional forest trust. The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is running a recent build from git master (f38077ea5ee). When I test authentication of users in each domain by running ntlm_auth on the samba server, it is successful for users in either domain. When I try to connect from a Windows client in TC84 using SMB, it is only successful for users in the TC83 domain. For users in the TC84 domain, smbd seems to go off the rails looking for a Kerberos machine principal in the TC84 domain, even though it is not a member of that domain (it's a member of TC83, which trusts TC84): Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996, 1, pid=15209, effective(0, 0), real(0, 0)] ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token) Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] Why is smbd looking for a principal of the form "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"? n [See https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ for full logs and smb.conf]
Maybe Matching Threads
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?