samba - Apr 2025 - Samba 4.2.15 and MIT Kerberos External Authentication

Hello, I have been trying to get Samba 4.21.5 setup to use an external MIT
kerberos authentication system on Debian 12. I realize this feature is
still experimental, but I just wanted to confirm if I am missing a critical
detail as it seems to be correctly installed except that it's not passing
the credentials from the windows client correctly. I

I have Samba complied as per the doc with SAMBA_USES_MITKDC. And it's
installed in /use/loca/samba/*

I have configured my default realm as DEPT.LOCAL and the external realm is
COMPANY.COM

I have setup a samba usermap and created a local samba user named
foo at DEPT.LOCAL which has an account with password foo at COMPANY.COM

My user.map is as per below.

foo = foo at COMPANY.COM

What settings are needed for the Windows/Mac client to login with user foo,
and have their credential checked against @COMPANY.COM and then allowed to
authenticate into @DEPT.LOCAL.. We don't have any special security
requirements the than the user account needs to already exist on in samba
and we don't want to store their password but have it reside at  @
COMPANY.COM.

I tested krb5 and am able to get kerberos tickets from command line via
kinit.

Is there extra customization needed in /usr/local/samba/private/kdc.conf or
in /etc/pam.d/?

Apr 08 16:50:50 dc1 krb5kdc[4450](info): authsam_account_ok: Checking SMB
password for user foo@@DEPT.LOCAL
Apr 08 16:50:50 dc1 krb5kdc[4450](info): logon_hours_ok: No hours
restrictions for user foo@@DEPT.LOCAL
Apr 08 16:50:50 dc1 krb5kdc[4450](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) x.x.x.x: NEEDED_PREAUTH:
foo\@DEPT.LOCAL at DEPT.LOCAL for krbtgt/DEPT.LOCAL at DEPT.LOCAL, Additional
pre-authentication required
Apr 08 16:50:50 dc1 krb5kdc[4450](info): closing down fd 19
Apr 08 16:50:50 dc1 krb5kdc[4450](info): authsam_account_ok: Checking SMB
password for user foo@@DEPT.LOCAL
Apr 08 16:50:50 dc1 krb5kdc[4450](info): logon_hours_ok: No hours
restrictions for user foo@@DEPT.LOCAL
Apr 08 16:50:50 dc1 krb5kdc[4450](info): preauth (encrypted_timestamp)
verify failure: Preauthentication failed
Apr 08 16:50:50 dc1 krb5kdc[4450](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) x.x.x.x: PREAUTH_FAILED:
foo\@DEPT.LOCAL at DEPT.LOCAL for krbtgt/DEPT.LOCAL at DEPT.LOCAL,
Preauthentication failed

On Tue, 8 Apr 2025 18:24:57 -0400
igor noredinoski via samba <samba at lists.samba.org> wrote:
> Hello, I have been trying to get Samba 4.21.5 setup to use an
> external MIT kerberos authentication system on Debian 12. I realize
> this feature is still experimental, but I just wanted to confirm if I
> am missing a critical detail as it seems to be correctly installed
> except that it's not passing the credentials from the windows client
> correctly. I
> 
> I have Samba complied as per the doc with SAMBA_USES_MITKDC. And it's
> installed in /use/loca/samba/*
> 
> I have configured my default realm as DEPT.LOCAL and the external
> realm is COMPANY.COM
> 
> I have setup a samba usermap and created a local samba user named
> foo at DEPT.LOCAL which has an account with password foo at COMPANY.COM
> 
> My user.map is as per below.
> 
> foo = foo at COMPANY.COM
It sounded like you had set up Samba as an AD DC using MIT instead of
Hiemdal until here, now I am not so sure. It sounds like you have an
existing Kerberos realm and you are trying to get a Samba AD DC to auth
from that, if that is the case, then that is not how you are supposed
to do it.
 
If you want to see how to set up a DC with MIT, then the easiest way is
to do it on the latest fedora, their Samba AD DC uses MIT by default.

Rowland