thr3ads.net - samba - [Samba] Kerberos Authentication Problem with MacOS [May 2022]

If this information is useful, please help other people find it:
Share via:

Stefan Schäfer

2022-May-17 06:54 UTC

[Samba] Kerberos Authentication Problem with MacOS

Hi List,

we've just build Samba (version 4.16.1+git.235.f435da606f7) with 
internal Heimdal Kerberos (version 8pre) for use as AD-DC.

With Windows clients (joined to domain) everything works fine. Trying to 
access the samba server (which act as DC and fileserver) with MacOS, 
authentication fails with some Kerberos problems. Log file attached. 
MaOS only tells that something went wrong. No further informations (I'm 
not a MacOS crack)

Disabling Fast-Support, as mentioned in samba changelog (kdc enable fast 
= no) didn't change anything.

I've not tried to join the domain with this MacOS client yet.

With older Samba versions we had no problems with MacOS.

Any ideas, what went wrong?

Stefan

-- 
www.invis-server.org

Stefan Sch?fer
Vogelsbergstr. 118
63679 Schotten
-------------- next part --------------
[2022/05/16 13:00:28.544383,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for AS-REQ
[2022/05/16 13:00:28.544503,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Not a FAST request
[2022/05/16 13:00:28.544551,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ milli at GALERIE-NET.LOC from ipv4:172.18.200.20:49573 for
krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC
[2022/05/16 13:00:28.549897,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: REQ-ENC-PA-REP
[2022/05/16 13:00:28.549926,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=REQ-ENC-PA-REP
[2022/05/16 13:00:28.549932,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Looking for PK-INIT(ietf) pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.549938,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Looking for PK-INIT(win2k) pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.549958,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.549964,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Looking for GSS pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.549993,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2022/05/16 13:00:28.550008,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: as-req: sending error: -1765328359 to client
[2022/05/16 13:00:28.550028,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Making non-FAST KRB-ERROR
[2022/05/16 13:00:28.550095,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.005732
[2022/05/16 13:00:28.550104,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0]
e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2022/05/16 13:00:28.550110,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ ERR_PREAUTH_REQUIRED ipv4:172.18.200.20:49573 milli at
GALERIE-NET.LOC krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC
client-pa=REQ-ENC-PA-REP e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
elapsed=0.005732
[2022/05/16 13:00:28.550756,  3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/05/16 13:00:28.556964,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for AS-REQ
[2022/05/16 13:00:28.556995,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Not a FAST request
[2022/05/16 13:00:28.557006,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ milli at GALERIE-NET.LOC from ipv4:172.18.200.20:49574 for
krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC
[2022/05/16 13:00:28.558360,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
[2022/05/16 13:00:28.558378,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=ENC-TS,REQ-ENC-PA-REP
[2022/05/16 13:00:28.558385,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Looking for PK-INIT(ietf) pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.558390,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Looking for PK-INIT(win2k) pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.558396,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.558403,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] pa=ENC-TS
[2022/05/16 13:00:28.558455,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- milli at GALERIE-NET.LOC
using aes256-cts-hmac-sha1-96
[2022/05/16 13:00:28.558464,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair pa-etype=18
[2022/05/16 13:00:28.558470,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=6
[2022/05/16 13:00:28.558476,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS pre-authentication succeeded -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.558489,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=1
[2022/05/16 13:00:28.558502,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair pac_attributes=2
[2022/05/16 13:00:28.559762,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] canon_client_name=milli at
GALERIE-NET.LOC
[2022/05/16 13:00:28.559808,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair auth=1652698828
[2022/05/16 13:00:28.559817,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair end=1652734828
[2022/05/16 13:00:28.559827,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2022-05-16T13:00:28 starttime: unset endtime:
2022-05-16T23:00:28 renew till: unset
[2022/05/16 13:00:28.559838,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] etypes=18,17,16,23
[2022/05/16 13:00:28.559844,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/05/16 13:00:28.559858,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] etype=18/18
[2022/05/16 13:00:28.559865,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: canonicalize
[2022/05/16 13:00:28.559871,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] flags=canonicalize
[2022/05/16 13:00:28.563842,  3]
../../auth/auth_log.c:665(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[milli at
GALERIE-NET.LOC] at [Mon, 16 May 2022 13:00:28.563825 CEST] with
[aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host
[ipv4:172.18.200.20:49574] became [GALERIE-NET]\[milli]
[S-1-5-21-3614744284-231420111-3803705986-1114]. local host [NULL]
  {"timestamp": "2022-05-16T13:00:28.563913+0200",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "9d7655cad5280d7a",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
"ipv4:172.18.200.20:49574", "serviceDescription":
"Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
"clientAccount": "milli at GALERIE-NET.LOC",
"workstation": null, "becameAccount": "milli",
"becameDomain": "GALERIE-NET", "becameSid":
"S-1-5-21-3614744284-231420111-3803705986-1114",
"mappedAccount": "milli", "mappedDomain":
"GALERIE-NET", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 6968}}
[2022/05/16 13:00:28.564040,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.007078
[2022/05/16 13:00:28.564054,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ SUCCESS ipv4:172.18.200.20:49574 milli at GALERIE-NET.LOC
krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC pa=ENC-TS etype=18/18
canon_client_name=milli at GALERIE-NET.LOC pac_attributes=2 pa-etype=18
client-pa=ENC-TS,REQ-ENC-PA-REP end=1652734828 auth=1652698828
etypes=18,17,16,23 elapsed=0.007078 flags=canonicalize
[2022/05/16 13:00:28.564591,  3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/05/16 13:00:28.578204,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for AS-REQ
[2022/05/16 13:00:28.578277,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for TGS-REQ
[2022/05/16 13:00:28.579997,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Not a FAST request
[2022/05/16 13:00:28.580083,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ milli at GALERIE-NET.LOC from ipv4:172.18.200.20:49575 for
cifs/invis.galerie-net.loc at GALERIE-NET.LOC [canonicalize]
[2022/05/16 13:00:28.585572,  2]
../../source4/kdc/db-glue.c:716(samba_kdc_message2entry_keys)
  Unsupported keytype ignored - type 3
[2022/05/16 13:00:28.585627,  2]
../../source4/kdc/db-glue.c:716(samba_kdc_message2entry_keys)
  Unsupported keytype ignored - type 1
[2022/05/16 13:00:28.594772,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair auth=1652698828
[2022/05/16 13:00:28.594820,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair start=1652698828
[2022/05/16 13:00:28.594863,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair end=1652734828
[2022/05/16 13:00:28.594905,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ authtime: 2022-05-16T13:00:28 starttime: 2022-05-16T13:00:28
endtime: 2022-05-16T23:00:28 renew till: unset
[2022/05/16 13:00:28.594935,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] canon_client_name=milli at
GALERIE-NET.LOC
[2022/05/16 13:00:28.594962,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair pac_attributes=2
[2022/05/16 13:00:28.595310,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] etypes=18,17,16,23
[2022/05/16 13:00:28.595347,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/05/16 13:00:28.595372,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] etype=18/18
[2022/05/16 13:00:28.595395,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: canonicalize
[2022/05/16 13:00:28.595417,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] flags=canonicalize
[2022/05/16 13:00:28.595621,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.017434
[2022/05/16 13:00:28.595657,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ SUCCESS ipv4:172.18.200.20:49575 milli at GALERIE-NET.LOC
cifs/invis.galerie-net.loc at GALERIE-NET.LOC etype=18/18 pac_attributes=2
canon_client_name=milli at GALERIE-NET.LOC end=1652734828 auth=1652698828
etypes=18,17,16,23 elapsed=0.017434 flags=canonicalize start=1652698828
[2022/05/16 13:00:28.596440,  3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/05/16 13:00:28.600379,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for AS-REQ
[2022/05/16 13:00:28.600451,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for TGS-REQ
[2022/05/16 13:00:28.602045,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Not a FAST request
[2022/05/16 13:00:28.602110,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ milli at GALERIE-NET.LOC from ipv4:172.18.200.20:49576 for
krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC [forwarded]
[2022/05/16 13:00:28.611953,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddreason(): adding reason Request to forward
non-forwardable ticket
[2022/05/16 13:00:28.612048,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:172.18.200.20:49576
[2022/05/16 13:00:28.612093,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: tgs-req: sending error: -1765328371 to client
[2022/05/16 13:00:28.612119,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Making non-FAST KRB-ERROR
[2022/05/16 13:00:28.612286,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.011923
[2022/05/16 13:00:28.612338,  3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ ERR_BADOPTION ipv4:172.18.200.20:49576 milli at
GALERIE-NET.LOC krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC elapsed=0.011923
reason=Request to forward non-forwardable ticket
[2022/05/16 13:00:28.612876,  3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

Stefan Schäfer

2022-May-24 12:20 UTC

head link

[Samba] Kerberos Authentication Problem with MacOS

Does no one has any idea?

Stefan

Am 17.05.22 um 08:54 schrieb Stefan Sch?fer via samba:> Hi List,
> 
> we've just build Samba (version 4.16.1+git.235.f435da606f7) with 
> internal Heimdal Kerberos (version 8pre) for use as AD-DC.
> 
> With Windows clients (joined to domain) everything works fine. Trying to 
> access the samba server (which act as DC and fileserver) with MacOS, 
> authentication fails with some Kerberos problems. Log file attached. 
> MaOS only tells that something went wrong. No further informations (I'm
> not a MacOS crack)
> 
> Disabling Fast-Support, as mentioned in samba changelog (kdc enable fast 
> = no) didn't change anything.
> 
> I've not tried to join the domain with this MacOS client yet.
> 
> With older Samba versions we had no problems with MacOS.
> 
> Any ideas, what went wrong?
> 
> Stefan
> 
> 
-- 
www.invis-server.org

Stefan Sch?fer
Vogelsbergstr. 118
63679 Schotten

Stefan Schäfer

2022-May-31 15:18 UTC

head link

[Samba] Kerberos Authentication Problem with MacOS

Hi List,

my problem is still unsolved. Here some more informations:

If i try to get a kerberos ticket on macos with kinit, it works. klist 
-l shows the ticket.

If I then try to connect to my SMB-shares, macos don't ask for username 
and password anymore - the ticket is used, but the result is the same:

[2022/05/31 16:49:43.157223,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Probing for AS-REQ
[2022/05/31 16:49:43.157253,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Probing for TGS-REQ
[2022/05/31 16:49:43.157787,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Not a FAST request
[2022/05/31 16:49:43.157820,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ administrator at GALERIE-NET.LOC from 
ipv4:172.18.4.4:49760 for krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC [forwarded]
[2022/05/31 16:49:43.161507,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: heim_audit_vaddreason(): adding reason Request to forward 
non-forwardable ticket
[2022/05/31 16:49:43.161535,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Failed building TGS-REP to ipv4:172.18.4.4:49760
[2022/05/31 16:49:43.161550,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: tgs-req: sending error: -1765328371 to client
[2022/05/31 16:49:43.161558,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Making non-FAST KRB-ERROR
[2022/05/31 16:49:43.161607,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.004393
[2022/05/31 16:49:43.161618,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ ERR_BADOPTION ipv4:172.18.4.4:49760 
administrator at GALERIE-NET.LOC krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC 
elapsed=0.004393 reason=Request to forward non-forwardable ticket
[2022/05/31 16:49:43.161977,  3] 
../../source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'

It might be possible that this problem is caused by an macos update from 
april 2021:

https://discussions-cn-prz.apple.com/en/thread/252803969

I've no idea how to deal with this....

Stefan



Am 17.05.22 um 08:54 schrieb Stefan Sch?fer via samba:> Hi List,
> 
> we've just build Samba (version 4.16.1+git.235.f435da606f7) with 
> internal Heimdal Kerberos (version 8pre) for use as AD-DC.
> 
> With Windows clients (joined to domain) everything works fine. Trying to 
> access the samba server (which act as DC and fileserver) with MacOS, 
> authentication fails with some Kerberos problems. Log file attached. 
> MaOS only tells that something went wrong. No further informations (I'm
> not a MacOS crack)
> 
> Disabling Fast-Support, as mentioned in samba changelog (kdc enable fast 
> = no) didn't change anything.
> 
> I've not tried to join the domain with this MacOS client yet.
> 
> With older Samba versions we had no problems with MacOS.
> 
> Any ideas, what went wrong?
> 
> Stefan
> 
> 
-- 
www.invis-server.org

Stefan Sch?fer
Vogelsbergstr. 118
63679 Schotten

samba - May 2022 - Kerberos Authentication Problem with MacOS

[Samba] Kerberos Authentication Problem with MacOS

[Samba] Kerberos Authentication Problem with MacOS

[Samba] Kerberos Authentication Problem with MacOS