I've set this up in Linux 7 without issue, but we're running Rocky Linux 8 and cannot seem to get our MACos system to authenticate with Kerberos. It just drops into asking for a password. This is output from the log file when I attempt to connect: [2022/04/27 13:01:07.656506, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage) Registered MSG_REQ_POOL_USAGE [2022/04/27 13:01:07.656634, 3] ../../lib/util/access.c:372(allow_access) Allowed connection from 132.250.114.93 (132.250.114.93) [2022/04/27 13:01:07.807100, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage) Registered MSG_REQ_POOL_USAGE [2022/04/27 13:01:07.807308, 3] ../../lib/util/access.c:372(allow_access) Allowed connection from 132.250.114.93 (132.250.114.93) It looks like it's getting the connection. Running klist shows the connection at least attempted. % klist Ticket cache: KCM:12566 Default principal: cogan@<redacted> Valid starting Expires Service principal 04/27/2022 12:02:49 04/28/2022 12:02:49 krbtgt/<redacted> 04/27/2022 12:03:28 04/28/2022 12:02:49 cifs/sherlock-hemlock.<redacted> 04/27/2022 12:04:03 04/28/2022 12:02:49 host/thig.<redacted> 04/27/2022 12:04:58 04/28/2022 12:02:49 host/maple.<redacted> 04/27/2022 12:24:59 04/28/2022 12:02:49 host/kermit.<redacted> 04/27/2022 12:42:48 04/28/2022 12:02:49 cifs/thig.<redacted> THIG is the name of the system that is dropping down into password request. Connection to sherlock-hemlock is working fine with the same configuration, but Linux 7 variant. It's like it sees the user, verifies the kerberos connection, but fails to read the ticket. - M
Output from command line trying to connect: thig% smbclient -k -L //thig.<redacted>/ session setup failed: NT_STATUS_ACCESS_DENIED So it looks like it's just rejecting the Kerberos authentication, which is why it would drop back down to asking for password (which doesn't work). - M On Wed, Apr 27, 2022 at 1:08 PM Mark Cogan <arcturus1966 at gmail.com> wrote:> I've set this up in Linux 7 without issue, but we're running Rocky Linux 8 > and cannot seem to get our MACos system to authenticate with Kerberos. It > just drops into asking for a password. > This is output from the log file when I attempt to connect: > > [2022/04/27 13:01:07.656506, 2] > ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage) > > Registered MSG_REQ_POOL_USAGE > > [2022/04/27 13:01:07.656634, 3] ../../lib/util/access.c:372(allow_access) > > Allowed connection from 132.250.114.93 (132.250.114.93) > > [2022/04/27 13:01:07.807100, 2] > ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage) > > Registered MSG_REQ_POOL_USAGE > > [2022/04/27 13:01:07.807308, 3] ../../lib/util/access.c:372(allow_access) > > Allowed connection from 132.250.114.93 (132.250.114.93) > > > It looks like it's getting the connection. Running klist shows the > connection at least attempted. > > % klist > > Ticket cache: KCM:12566 > > Default principal: cogan@<redacted> > > > Valid starting Expires Service principal > > 04/27/2022 12:02:49 04/28/2022 12:02:49 krbtgt/<redacted> > > 04/27/2022 12:03:28 04/28/2022 12:02:49 cifs/sherlock-hemlock.<redacted> > > 04/27/2022 12:04:03 04/28/2022 12:02:49 host/thig.<redacted> > > 04/27/2022 12:04:58 04/28/2022 12:02:49 host/maple.<redacted> > > 04/27/2022 12:24:59 04/28/2022 12:02:49 host/kermit.<redacted> > > 04/27/2022 12:42:48 04/28/2022 12:02:49 cifs/thig.<redacted> > > > THIG is the name of the system that is dropping down into password > request. Connection to sherlock-hemlock is working fine with the same > configuration, but Linux 7 variant. > > > It's like it sees the user, verifies the kerberos connection, but fails to > read the ticket. > > > - M >
So let me go through what I did. First, this is the same attempt to connect to a different server which works just fine with Samba and Kerberos. Second, it looks like the Kerberos ticket is provided, just not allowing the connection. Third, I created a local account and gave it Samba permission on thig. This works as username / password so the syntax from Mac to Samba is okay. At this point, I'm troubleshooting on the Samba side of things, trying to see where / why despite getting a valid Kerberos ticket it still drops through asking for username / password. - M On Wed, Apr 27, 2022 at 1:08 PM Mark Cogan <arcturus1966 at gmail.com> wrote:> I've set this up in Linux 7 without issue, but we're running Rocky Linux 8 > and cannot seem to get our MACos system to authenticate with Kerberos. It > just drops into asking for a password. > This is output from the log file when I attempt to connect: > > [2022/04/27 13:01:07.656506, 2] > ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage) > > Registered MSG_REQ_POOL_USAGE > > [2022/04/27 13:01:07.656634, 3] ../../lib/util/access.c:372(allow_access) > > Allowed connection from 132.250.114.93 (132.250.114.93) > > [2022/04/27 13:01:07.807100, 2] > ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage) > > Registered MSG_REQ_POOL_USAGE > > [2022/04/27 13:01:07.807308, 3] ../../lib/util/access.c:372(allow_access) > > Allowed connection from 132.250.114.93 (132.250.114.93) > > > It looks like it's getting the connection. Running klist shows the > connection at least attempted. > > % klist > > Ticket cache: KCM:12566 > > Default principal: cogan@<redacted> > > > Valid starting Expires Service principal > > 04/27/2022 12:02:49 04/28/2022 12:02:49 krbtgt/<redacted> > > 04/27/2022 12:03:28 04/28/2022 12:02:49 cifs/sherlock-hemlock.<redacted> > > 04/27/2022 12:04:03 04/28/2022 12:02:49 host/thig.<redacted> > > 04/27/2022 12:04:58 04/28/2022 12:02:49 host/maple.<redacted> > > 04/27/2022 12:24:59 04/28/2022 12:02:49 host/kermit.<redacted> > > 04/27/2022 12:42:48 04/28/2022 12:02:49 cifs/thig.<redacted> > > > THIG is the name of the system that is dropping down into password > request. Connection to sherlock-hemlock is working fine with the same > configuration, but Linux 7 variant. > > > It's like it sees the user, verifies the kerberos connection, but fails to > read the ticket. > > > - M >