Nathaniel W. Turner
2019-Nov-15 20:02 UTC
[Samba] Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
Here's the keytab info: ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) 12 host/KVM7246-VM022 at TC83.LOCAL (etype 3) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac) 12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac) 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1) 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3) 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac) 12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac) 12 KVM7246-VM022$@TC83.LOCAL (etype 1) 12 KVM7246-VM022$@TC83.LOCAL (etype 3) 12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96) 12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96) 12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac) The client is a Windows box, and I'm running this command: net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator I see the same behavior when I use smbclient: smbclient //kvm7246-vm022.maas.local/test -U administrator at tc84.local On Fri, Nov 15, 2019 at 2:20 PM banda bassotti <bandabasotti at gmail.com> wrote:> Hi, please run the command: > > klist -ek /etc/krb5.keytab and post the output along with the file > smb.conf. > how do you access your share? > > \\kvm7246-vm022.maas.local\\ > <https://lists.samba.org/mailman/listinfo/samba>sharename" > > or something like that? > > bb. > > > > Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba < > samba at lists.samba.org> ha scritto: > >> Hi all. I?m trying to understand a weird authentication failure: >> >> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest, >> with a bidirectional forest trust. >> The samba server kvm7246-vm022.maas.local is a domain member of TC83 and >> is >> running a recent build from git master (f38077ea5ee). >> >> When I test authentication of users in each domain by running ntlm_auth on >> the samba server, it is successful for users in either domain. >> >> When I try to connect from a Windows client in TC84 using SMB, it is only >> successful for users in the TC83 domain. For users in the TC84 domain, >> smbd >> seems to go off the rails looking for a Kerberos machine principal in the >> TC84 domain, even though it is not a member of that domain (it's a member >> of TC83, which trusts TC84): >> >> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996, >> 1, >> pid=15209, effective(0, 0), real(0, 0)] >> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token) >> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: gss_accept_sec_context failed >> with [ Miscellaneous failure (see text): Failed to find >> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab >> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] >> >> Why is smbd looking for a principal of the form >> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"? >> >> n >> >> [See >> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ >> for >> full logs and smb.conf] >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Nathaniel W. Turner
2019-Nov-19 19:51 UTC
[Samba] Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
In case you missed the link in the original email, here's the smb.conf: [global] kerberos method = secrets and keytab logging = systemd realm = TC83.LOCAL security = ADS template homedir = /home/%U@%D template shell = /bin/bash winbind offline logon = Yes winbind refresh tickets = Yes workgroup = TC83 idmap config * : range = 1000000-19999999 idmap config * : backend = autorid [test] path = /srv/test valid users = "@tc83.local\domain users" "@tc84.local\domain users" On Fri, Nov 15, 2019 at 3:02 PM Nathaniel W. Turner < nathanielwyliet at gmail.com> wrote:> Here's the keytab info: > > ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) > 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1) > 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) > 12 host/KVM7246-VM022 at TC83.LOCAL (etype 3) > 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96) > 12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96) > 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96) > 12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96) > 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac) > 12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac) > 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) > 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1) > 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) > 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3) > 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL > (aes128-cts-hmac-sha1-96) > 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96) > 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL > (aes256-cts-hmac-sha1-96) > 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96) > 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac) > 12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac) > 12 KVM7246-VM022$@TC83.LOCAL (etype 1) > 12 KVM7246-VM022$@TC83.LOCAL (etype 3) > 12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96) > 12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96) > 12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac) > > The client is a Windows box, and I'm running this command: > > net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator > > I see the same behavior when I use smbclient: > > smbclient //kvm7246-vm022.maas.local/test -U administrator at tc84.local > > On Fri, Nov 15, 2019 at 2:20 PM banda bassotti <bandabasotti at gmail.com> > wrote: > >> Hi, please run the command: >> >> klist -ek /etc/krb5.keytab and post the output along with the file >> smb.conf. >> how do you access your share? >> >> \\kvm7246-vm022.maas.local\\ >> <https://lists.samba.org/mailman/listinfo/samba>sharename" >> >> or something like that? >> >> bb. >> >> >> >> Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba < >> samba at lists.samba.org> ha scritto: >> >>> Hi all. I?m trying to understand a weird authentication failure: >>> >>> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent >>> forest, >>> with a bidirectional forest trust. >>> The samba server kvm7246-vm022.maas.local is a domain member of TC83 and >>> is >>> running a recent build from git master (f38077ea5ee). >>> >>> When I test authentication of users in each domain by running ntlm_auth >>> on >>> the samba server, it is successful for users in either domain. >>> >>> When I try to connect from a Windows client in TC84 using SMB, it is only >>> successful for users in the TC83 domain. For users in the TC84 domain, >>> smbd >>> seems to go off the rails looking for a Kerberos machine principal in the >>> TC84 domain, even though it is not a member of that domain (it's a member >>> of TC83, which trusts TC84): >>> >>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996, >>> 1, >>> pid=15209, effective(0, 0), real(0, 0)] >>> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token) >>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: gss_accept_sec_context >>> failed >>> with [ Miscellaneous failure (see text): Failed to find >>> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab >>> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] >>> >>> Why is smbd looking for a principal of the form >>> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"? >>> >>> n >>> >>> [See >>> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ >>> for >>> full logs and smb.conf] >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>
Nathaniel W. Turner
2019-Nov-19 22:11 UTC
[Samba] Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
Is it expected that samba will be looking for a principal of the form "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"? My guess is no, since the keytab (as I'd expect) only contains keys for principals in the server's domain, TC83.LOCAL. Is this a bug, or have I configured something incorrectly? On Tue, Nov 19, 2019 at 2:51 PM Nathaniel W. Turner < nathanielwyliet at gmail.com> wrote:> In case you missed the link in the original email, here's the smb.conf: > > [global] > kerberos method = secrets and keytab > logging = systemd > realm = TC83.LOCAL > security = ADS > template homedir = /home/%U@%D > template shell = /bin/bash > winbind offline logon = Yes > winbind refresh tickets = Yes > workgroup = TC83 > idmap config * : range = 1000000-19999999 > idmap config * : backend = autorid > > > [test] > path = /srv/test > valid users = "@tc83.local\domain users" "@tc84.local\domain users" > > > On Fri, Nov 15, 2019 at 3:02 PM Nathaniel W. Turner < > nathanielwyliet at gmail.com> wrote: > >> Here's the keytab info: >> >> ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) >> 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1) >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) >> 12 host/KVM7246-VM022 at TC83.LOCAL (etype 3) >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96) >> 12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96) >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96) >> 12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96) >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac) >> 12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac) >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1) >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3) >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL >> (aes128-cts-hmac-sha1-96) >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96) >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL >> (aes256-cts-hmac-sha1-96) >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96) >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac) >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac) >> 12 KVM7246-VM022$@TC83.LOCAL (etype 1) >> 12 KVM7246-VM022$@TC83.LOCAL (etype 3) >> 12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96) >> 12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96) >> 12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac) >> >> The client is a Windows box, and I'm running this command: >> >> net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator >> >> I see the same behavior when I use smbclient: >> >> smbclient //kvm7246-vm022.maas.local/test -U administrator at tc84.local >> >> On Fri, Nov 15, 2019 at 2:20 PM banda bassotti <bandabasotti at gmail.com> >> wrote: >> >>> Hi, please run the command: >>> >>> klist -ek /etc/krb5.keytab and post the output along with the file >>> smb.conf. >>> how do you access your share? >>> >>> \\kvm7246-vm022.maas.local\\ >>> <https://lists.samba.org/mailman/listinfo/samba>sharename" >>> >>> or something like that? >>> >>> bb. >>> >>> >>> >>> Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba < >>> samba at lists.samba.org> ha scritto: >>> >>>> Hi all. I?m trying to understand a weird authentication failure: >>>> >>>> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent >>>> forest, >>>> with a bidirectional forest trust. >>>> The samba server kvm7246-vm022.maas.local is a domain member of TC83 >>>> and is >>>> running a recent build from git master (f38077ea5ee). >>>> >>>> When I test authentication of users in each domain by running ntlm_auth >>>> on >>>> the samba server, it is successful for users in either domain. >>>> >>>> When I try to connect from a Windows client in TC84 using SMB, it is >>>> only >>>> successful for users in the TC83 domain. For users in the TC84 domain, >>>> smbd >>>> seems to go off the rails looking for a Kerberos machine principal in >>>> the >>>> TC84 domain, even though it is not a member of that domain (it's a >>>> member >>>> of TC83, which trusts TC84): >>>> >>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 >>>> 15:53:04.524996, 1, >>>> pid=15209, effective(0, 0), real(0, 0)] >>>> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token) >>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: gss_accept_sec_context >>>> failed >>>> with [ Miscellaneous failure (see text): Failed to find >>>> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab >>>> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] >>>> >>>> Why is smbd looking for a principal of the form >>>> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"? >>>> >>>> n >>>> >>>> [See >>>> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ >>>> for >>>> full logs and smb.conf] >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>
L.P.H. van Belle
2019-Nov-20 08:26 UTC
[Samba] Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
Your config looks ok, as far i can tell. This : "cifs/kvm7246-vm022.maas.local at TC84.LOCAL" As it should spn/hostname.fqdn at REALM nothing wrong with that. But if i understand it right. Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL ( NTDOM:TC83 ) But you get TC84 back?. On the problem server run the following: dig a kvm7246-vm022.maas.local @IP_of_AD-DC Gives an Returned_IP dig -x Returned_IP @IP_of_AD-DC hostname -s hostname -f hostname -I hostname -A cat /etc/resolv.conf route -n|grep default cat /etc/krb5.conf Do you have 2 servers with the same hostname but in different DNS domains? Like this one vm7246-vm022 << Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Nathaniel W. Turner via samba > Verzonden: dinsdag 19 november 2019 23:11 > Aan: banda bassotti > CC: sambalist > Onderwerp: Re: [Samba] Why is smbd looking for Kerberos > principal cifs/host at DOMB when it is a member of DOMA? > > Is it expected that samba will be looking for a principal of the form > "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"? > > My guess is no, since the keytab (as I'd expect) only > contains keys for > principals in the server's domain, TC83.LOCAL. Is this a bug, > or have I > configured something incorrectly? > > On Tue, Nov 19, 2019 at 2:51 PM Nathaniel W. Turner < > nathanielwyliet at gmail.com> wrote: > > > In case you missed the link in the original email, here's > the smb.conf: > > > > [global] > > kerberos method = secrets and keytab > > logging = systemd > > realm = TC83.LOCAL > > security = ADS > > template homedir = /home/%U@%D > > template shell = /bin/bash > > winbind offline logon = Yes > > winbind refresh tickets = Yes > > workgroup = TC83 > > idmap config * : range = 1000000-19999999 > > idmap config * : backend = autorid > > > > > > [test] > > path = /srv/test > > valid users = "@tc83.local\domain users" > "@tc84.local\domain users" > > > > > > On Fri, Nov 15, 2019 at 3:02 PM Nathaniel W. Turner < > > nathanielwyliet at gmail.com> wrote: > > > >> Here's the keytab info: > >> > >> ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab > >> Keytab name: FILE:/etc/krb5.keytab > >> KVNO Principal > >> ---- > >> > -------------------------------------------------------------- > ------------ > >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) > >> 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1) > >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) > >> 12 host/KVM7246-VM022 at TC83.LOCAL (etype 3) > >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL > (aes128-cts-hmac-sha1-96) > >> 12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96) > >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL > (aes256-cts-hmac-sha1-96) > >> 12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96) > >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac) > >> 12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac) > >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) > >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1) > >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) > >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3) > >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL > >> (aes128-cts-hmac-sha1-96) > >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96) > >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL > >> (aes256-cts-hmac-sha1-96) > >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96) > >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac) > >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac) > >> 12 KVM7246-VM022$@TC83.LOCAL (etype 1) > >> 12 KVM7246-VM022$@TC83.LOCAL (etype 3) > >> 12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96) > >> 12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96) > >> 12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac) > >> > >> The client is a Windows box, and I'm running this command: > >> > >> net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator > >> > >> I see the same behavior when I use smbclient: > >> > >> smbclient //kvm7246-vm022.maas.local/test -U > administrator at tc84.local > >> > >> On Fri, Nov 15, 2019 at 2:20 PM banda bassotti > <bandabasotti at gmail.com> > >> wrote: > >> > >>> Hi, please run the command: > >>> > >>> klist -ek /etc/krb5.keytab and post the output along with the file > >>> smb.conf. > >>> how do you access your share? > >>> > >>> \\kvm7246-vm022.maas.local\\ > >>> <https://lists.samba.org/mailman/listinfo/samba>sharename" > >>> > >>> or something like that? > >>> > >>> bb. > >>> > >>> > >>> > >>> Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. > Turner via samba < > >>> samba at lists.samba.org> ha scritto: > >>> > >>>> Hi all. I?m trying to understand a weird authentication failure: > >>>> > >>>> I have two domains (TC83.LOCAL and TC84.LOCAL), each in > a diferent > >>>> forest, > >>>> with a bidirectional forest trust. > >>>> The samba server kvm7246-vm022.maas.local is a domain > member of TC83 > >>>> and is > >>>> running a recent build from git master (f38077ea5ee). > >>>> > >>>> When I test authentication of users in each domain by > running ntlm_auth > >>>> on > >>>> the samba server, it is successful for users in either domain. > >>>> > >>>> When I try to connect from a Windows client in TC84 > using SMB, it is > >>>> only > >>>> successful for users in the TC83 domain. For users in > the TC84 domain, > >>>> smbd > >>>> seems to go off the rails looking for a Kerberos machine > principal in > >>>> the > >>>> TC84 domain, even though it is not a member of that > domain (it's a > >>>> member > >>>> of TC83, which trusts TC84): > >>>> > >>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 > >>>> 15:53:04.524996, 1, > >>>> pid=15209, effective(0, 0), real(0, 0)] > >>>> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token) > >>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: > gss_accept_sec_context > >>>> failed > >>>> with [ Miscellaneous failure (see text): Failed to find > >>>> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab > >>>> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] > >>>> > >>>> Why is smbd looking for a principal of the form > >>>> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"? > >>>> > >>>> n > >>>> > >>>> [See > >>>> > https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt > 2nQQ5cLpOQ > >>>> for > >>>> full logs and smb.conf] > >>>> -- > >>>> To unsubscribe from this list go to the following URL > and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
- AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?