samba - Nov 2019 - Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?

Hi all. I?m trying to understand a weird authentication failure:

I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest,
with a bidirectional forest trust.
The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is
running a recent build from git master (f38077ea5ee).

When I test authentication of users in each domain by running ntlm_auth on
the samba server, it is successful for users in either domain.

When I try to connect from a Windows client in TC84 using SMB, it is only
successful for users in the TC83 domain. For users in the TC84 domain, smbd
seems to go off the rails looking for a Kerberos machine principal in the
TC84 domain, even though it is not a member of that domain (it's a member
of TC83, which trusts TC84):

Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996,  1,
pid=15209, effective(0, 0), real(0, 0)]
../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
Nov 15 15:53:04 kvm7246-vm022 smbd[15209]:   gss_accept_sec_context failed
with [ Miscellaneous failure (see text): Failed to find
cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]

Why is smbd looking for a principal of the form
"cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?

n

[See
https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ for
full logs and smb.conf]

Hi, please run the command:

klist -ek /etc/krb5.keytab and post the output along with the file smb.conf.
how do you access your share?

\\kvm7246-vm022.maas.local\\
<https://lists.samba.org/mailman/listinfo/samba>sharename"

or something like that?

bb.



Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba <
samba at lists.samba.org> ha scritto:
> Hi all. I?m trying to understand a weird authentication failure:
>
> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest,
> with a bidirectional forest trust.
> The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is
> running a recent build from git master (f38077ea5ee).
>
> When I test authentication of users in each domain by running ntlm_auth on
> the samba server, it is successful for users in either domain.
>
> When I try to connect from a Windows client in TC84 using SMB, it is only
> successful for users in the TC83 domain. For users in the TC84 domain, smbd
> seems to go off the rails looking for a Kerberos machine principal in the
> TC84 domain, even though it is not a member of that domain (it's a
member
> of TC83, which trusts TC84):
>
> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996,  1,
> pid=15209, effective(0, 0), real(0, 0)]
> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]:   gss_accept_sec_context failed
> with [ Miscellaneous failure (see text): Failed to find
> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
>
> Why is smbd looking for a principal of the form
> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
>
> n
>
> [See
> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ
> for
> full logs and smb.conf]
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Here's the keytab info:

ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
  12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
  12 host/KVM7246-VM022 at TC83.LOCAL (etype 1)
  12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
  12 host/KVM7246-VM022 at TC83.LOCAL (etype 3)
  12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96)
  12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
  12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96)
  12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
  12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
  12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
  12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
  12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1)
  12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
  12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3)
  12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96)
  12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
  12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96)
  12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
  12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
  12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
  12 KVM7246-VM022$@TC83.LOCAL (etype 1)
  12 KVM7246-VM022$@TC83.LOCAL (etype 3)
  12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96)
  12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96)
  12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac)

The client is a Windows box, and I'm running this command:

net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator

I see the same behavior when I use smbclient:

smbclient //kvm7246-vm022.maas.local/test -U administrator at tc84.local

On Fri, Nov 15, 2019 at 2:20 PM banda bassotti <bandabasotti at gmail.com>
wrote:
> Hi, please run the command:
>
> klist -ek /etc/krb5.keytab and post the output along with the file
> smb.conf.
> how do you access your share?
>
> \\kvm7246-vm022.maas.local\\
> <https://lists.samba.org/mailman/listinfo/samba>sharename"
>
> or something like that?
>
> bb.
>
>
>
> Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba <
> samba at lists.samba.org> ha scritto:
>
>> Hi all. I?m trying to understand a weird authentication failure:
>>
>> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent
forest,
>> with a bidirectional forest trust.
>> The samba server kvm7246-vm022.maas.local is a domain member of TC83
and
>> is
>> running a recent build from git master (f38077ea5ee).
>>
>> When I test authentication of users in each domain by running ntlm_auth
on
>> the samba server, it is successful for users in either domain.
>>
>> When I try to connect from a Windows client in TC84 using SMB, it is
only
>> successful for users in the TC83 domain. For users in the TC84 domain,
>> smbd
>> seems to go off the rails looking for a Kerberos machine principal in
the
>> TC84 domain, even though it is not a member of that domain (it's a
member
>> of TC83, which trusts TC84):
>>
>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996,
>> 1,
>> pid=15209, effective(0, 0), real(0, 0)]
>> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]:   gss_accept_sec_context
failed
>> with [ Miscellaneous failure (see text): Failed to find
>> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
>> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
>>
>> Why is smbd looking for a principal of the form
>> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
>>
>> n
>>
>> [See
>>
https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ
>> for
>> full logs and smb.conf]
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>