thr3ads.net - samba - [Samba] Samba and Kerberos [Apr 2022]

If this information is useful, please help other people find it:
Share via:

Mark Cogan

2022-Apr-27 18:02 UTC

[Samba] Samba and Kerberos

Output from command line trying to connect:

thig% smbclient -k -L //thig.<redacted>/

session setup failed: NT_STATUS_ACCESS_DENIED


So it looks like it's just rejecting the Kerberos authentication, which is
why it would drop back down to asking for password (which doesn't work).


- M

On Wed, Apr 27, 2022 at 1:08 PM Mark Cogan <arcturus1966 at gmail.com>
wrote:
> I've set this up in Linux 7 without issue, but we're running Rocky
Linux 8
> and cannot seem to get our MACos system to authenticate with Kerberos.  It
> just drops into asking for a password.
> This is output from the log file when I attempt to connect:
>
> [2022/04/27 13:01:07.656506,  2]
> ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
>
>   Registered MSG_REQ_POOL_USAGE
>
> [2022/04/27 13:01:07.656634,  3] ../../lib/util/access.c:372(allow_access)
>
>   Allowed connection from 132.250.114.93 (132.250.114.93)
>
> [2022/04/27 13:01:07.807100,  2]
> ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
>
>   Registered MSG_REQ_POOL_USAGE
>
> [2022/04/27 13:01:07.807308,  3] ../../lib/util/access.c:372(allow_access)
>
>   Allowed connection from 132.250.114.93 (132.250.114.93)
>
>
> It looks like it's getting the connection.  Running klist shows the
> connection at least attempted.
>
> % klist
>
> Ticket cache: KCM:12566
>
> Default principal: cogan@<redacted>
>
>
> Valid starting       Expires              Service principal
>
> 04/27/2022 12:02:49  04/28/2022 12:02:49  krbtgt/<redacted>
>
> 04/27/2022 12:03:28  04/28/2022 12:02:49 
cifs/sherlock-hemlock.<redacted>
>
> 04/27/2022 12:04:03  04/28/2022 12:02:49  host/thig.<redacted>
>
> 04/27/2022 12:04:58  04/28/2022 12:02:49  host/maple.<redacted>
>
> 04/27/2022 12:24:59  04/28/2022 12:02:49  host/kermit.<redacted>
>
> 04/27/2022 12:42:48  04/28/2022 12:02:49  cifs/thig.<redacted>
>
>
> THIG is the name of the system that is dropping down into password
> request.  Connection to sherlock-hemlock is working fine with the same
> configuration, but Linux 7 variant.
>
>
> It's like it sees the user, verifies the kerberos connection, but fails
to
> read the ticket.
>
>
> - M
>

Jeremy Allison

2022-Apr-27 18:06 UTC

head link

[Samba] Samba and Kerberos

On Wed, Apr 27, 2022 at 02:02:39PM -0400, Mark Cogan via samba
wrote:>Output from command line trying to connect:
>
>thig% smbclient -k -L //thig.<redacted>/
>
>session setup failed: NT_STATUS_ACCESS_DENIED
>
>
>So it looks like it's just rejecting the Kerberos authentication, which
is
>why it would drop back down to asking for password (which doesn't work).
Use a debug level 10 to get more details.

samba - Apr 2022 - Samba and Kerberos

[Samba] Samba and Kerberos

[Samba] Samba and Kerberos