Am 25.10.21 um 16:03 schrieb Achim Gottinger via samba:> Indeed, which raises the quetion can kerberos be used with local account? > Quick web search showed there is an kinit Utility coming with Sun/Oracle Java JDK. > I can kinit successfull klists shows a valid ticket but if I connect to the samba server I'm asked for credentials again. Log shows failed NTLMv2 password. > Same with heimdal kerberos client and secure endpoints network identity manager.As far as I understood it. Non Domain joined clients can connect to resources on the Domain if you connect using domainuser credentials. However, NTLM not Kerberos is used then. If you block NTLM then non Domain joined clients will stop to work. This all seems related... As for Kerberos. I use non domain joined client (Linux though) where I just configured the krb5.conf and I can then "kinit" and use my domain credentials to connect to server using krb auth with ssh. I haven't tried with windows. Regards Christian -- Dr. Christian Naumer Vice President Unit Head Bioprocess Development BRAIN Biotech AG Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Am 25.10.21 um 16:30 schrieb Christian Naumer via samba:> s far as I understood it. Non Domain joined clients can connect to resources on the Domain if you connect using domainuser credentials. However, NTLM not Kerberos is used then. If you block NTLM then non Domain joined clients will stop to work. > > This all seems related...For filesharing NTLMv2 still wokrs with local accounts. Before the oktober update once I connected with domainuser credentials from an local account i could manage printers and drivers using printmanagement. This also does no longer work. So MS changed the behavior NTLM is involved in printing.> > As for Kerberos. I use non domain joined client (Linux though) where I just configured the krb5.conf and I can then "kinit" and use my domain credentials to connect to server using krb auth with ssh. > I haven't tried with windows.I was hoping this can be archieved on windows as well. There is no native kinit on windows but i found java jdk's have such a binary. kinit kan be used to get an ticket which the native klist shows as valid but the file explorer does not use it when connecting to servers. Looking at https://en.wikipedia.org/wiki/Security_Support_Provider_Interface, windows uses NTLMSSP for non domain computers. The other method with heimdal and network identity manager i mentioned are used for single sign on against openafs and seem to work with firefox. Had no luck with the file explorer. Achim
Am 25.10.21 um 18:51 schrieb Achim Gottinger via samba:> Am 25.10.21 um 16:30 schrieb Christian Naumer via samba: >> s far as I understood it. Non Domain joined clients can connect to resources on the Domain if you connect using domainuser credentials. However, NTLM not Kerberos is used then. If you block NTLM then non Domain joined clients will stop to work. >> >> This all seems related... > For filesharing NTLMv2 still wokrs with local accounts. Before the oktober update once I connected with domainuser credentials from an local account i could manage printers and drivers using printmanagement. This also does no longer work. So MS changed the behavior NTLM is involved in printing. >> >> As for Kerberos. I use non domain joined client (Linux though) where I just configured the krb5.conf and I can then "kinit" and use my domain credentials to connect to server using krb auth with ssh. >> I haven't tried with windows. > > I was hoping this can be archieved on windows as well. There is no native kinit on windows but i found java jdk's have such a binary. kinit kan be used to get an ticket which the native klist shows as valid but the file explorer does not use it when connecting to servers. > > Looking at https://en.wikipedia.org/wiki/Security_Support_Provider_Interface, windows uses NTLMSSP for non domain computers. > > The other method with heimdal and network identity manager i mentioned are used for single sign on against openafs and seem to work with firefox. Had no luck with the file explorer. > > > AchimTurned out windows does use kerberos if the credentials passed to the server are in the form username at realm or realm\username. Logged on with an local non domain account on the computer and using above domain credentials to log on to a samba fileserver results in acquiring an valid kerberos ticket. klist also shows cifs/... principals. This changed with 2021-10. Now kerberos auth seems to be broken for spoolss auth requests and windows falls back to NTLMv2. Logged in with an domain account on the pc this fall back succeeds but with an local account and an valid acquired kerberos domain ticket it fails. With windows 11 however kerberos succeeds with an local account + valid domain ticket. I see no NTLM auth request in the samba log file here. For testing I only tried to connect to the fileserver with windows print management. If it succeeded it showed printers and drivers if not these lists where empty. Achim