igor noredinoski
2025-Apr-08 22:24 UTC
[Samba] Samba 4.2.15 and MIT Kerberos External Authentication
Hello, I have been trying to get Samba 4.21.5 setup to use an external MIT kerberos authentication system on Debian 12. I realize this feature is still experimental, but I just wanted to confirm if I am missing a critical detail as it seems to be correctly installed except that it's not passing the credentials from the windows client correctly. I I have Samba complied as per the doc with SAMBA_USES_MITKDC. And it's installed in /use/loca/samba/* I have configured my default realm as DEPT.LOCAL and the external realm is COMPANY.COM I have setup a samba usermap and created a local samba user named foo at DEPT.LOCAL which has an account with password foo at COMPANY.COM My user.map is as per below. foo = foo at COMPANY.COM What settings are needed for the Windows/Mac client to login with user foo, and have their credential checked against @COMPANY.COM and then allowed to authenticate into @DEPT.LOCAL.. We don't have any special security requirements the than the user account needs to already exist on in samba and we don't want to store their password but have it reside at @ COMPANY.COM. I tested krb5 and am able to get kerberos tickets from command line via kinit. Is there extra customization needed in /usr/local/samba/private/kdc.conf or in /etc/pam.d/? Apr 08 16:50:50 dc1 krb5kdc[4450](info): authsam_account_ok: Checking SMB password for user foo@@DEPT.LOCAL Apr 08 16:50:50 dc1 krb5kdc[4450](info): logon_hours_ok: No hours restrictions for user foo@@DEPT.LOCAL Apr 08 16:50:50 dc1 krb5kdc[4450](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) x.x.x.x: NEEDED_PREAUTH: foo\@DEPT.LOCAL at DEPT.LOCAL for krbtgt/DEPT.LOCAL at DEPT.LOCAL, Additional pre-authentication required Apr 08 16:50:50 dc1 krb5kdc[4450](info): closing down fd 19 Apr 08 16:50:50 dc1 krb5kdc[4450](info): authsam_account_ok: Checking SMB password for user foo@@DEPT.LOCAL Apr 08 16:50:50 dc1 krb5kdc[4450](info): logon_hours_ok: No hours restrictions for user foo@@DEPT.LOCAL Apr 08 16:50:50 dc1 krb5kdc[4450](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Apr 08 16:50:50 dc1 krb5kdc[4450](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) x.x.x.x: PREAUTH_FAILED: foo\@DEPT.LOCAL at DEPT.LOCAL for krbtgt/DEPT.LOCAL at DEPT.LOCAL, Preauthentication failed
Rowland Penny
2025-Apr-09 07:06 UTC
[Samba] Samba 4.2.15 and MIT Kerberos External Authentication
On Tue, 8 Apr 2025 18:24:57 -0400 igor noredinoski via samba <samba at lists.samba.org> wrote:> Hello, I have been trying to get Samba 4.21.5 setup to use an > external MIT kerberos authentication system on Debian 12. I realize > this feature is still experimental, but I just wanted to confirm if I > am missing a critical detail as it seems to be correctly installed > except that it's not passing the credentials from the windows client > correctly. I > > I have Samba complied as per the doc with SAMBA_USES_MITKDC. And it's > installed in /use/loca/samba/* > > I have configured my default realm as DEPT.LOCAL and the external > realm is COMPANY.COM > > I have setup a samba usermap and created a local samba user named > foo at DEPT.LOCAL which has an account with password foo at COMPANY.COM > > My user.map is as per below. > > foo = foo at COMPANY.COMIt sounded like you had set up Samba as an AD DC using MIT instead of Hiemdal until here, now I am not so sure. It sounds like you have an existing Kerberos realm and you are trying to get a Samba AD DC to auth from that, if that is the case, then that is not how you are supposed to do it. If you want to see how to set up a DC with MIT, then the easiest way is to do it on the latest fedora, their Samba AD DC uses MIT by default. Rowland
Seemingly Similar Threads
- Problem looking up domain users
- heidmal to mit adminstrator password expired
- Problem to access from Win to Win after classicupdate to Samba DC 4.10.7
- macOS 10.13.6 error joining to Samba 4.8.3
- Problem to access from Win to Win after classicupdate to Samba DC 4.10.7