search for: smb_gss_krb5_import_cred

...ed, after making this change the krb5 default ccache name of "FILE:/tmp/krb5cc_%{uid}" is used since "default_cc_name" is not valid. I ran the smbclient command and guess what happened? Remember, the original error in the debug output with the valid parameter name was this: smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the caller may retry after a kinit After I made the parameter name change to the heimdal version, the error turned into this: Failed to resolve credential cache 'KEYRING:persistent:1000'! (Unknown credential cache type) free(): double free detected in...

..., and krb5-user 1.17 Steps I took: I run a kinit and obtain a valid ticket, klist confirms this and that it's stored in the configured ccache. I then run this command: smbclient //server.this.domain.com/share -k -d5 Here's a snippet of the debug output, pay particular attention to the "smb_gss_krb5_import_cred" line: ----- session request ok negotiated dialect[SMB3_11] against server[server.this.domain.com] cli_session_setup_spnego_send: Connect to server.this.domain.com as user at THIS.DOMAIN.COM using SPNEGO Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 smb_gss_krb5_impor...

I know, and i have him the "samba" solution, because ... I dont know sssd also. And i dont get the fuss on samba+winbind or samba+sssd I have 3 services running minimal : samba winbind user-homes.automount Everything works as it should. I hope, and i'll add the note here also. NOTE ! My packages are NOT sssd compliant, you need to recompile SSSD yourselfs agains my samba

...b5 default ccache > name of "FILE:/tmp/krb5cc_%{uid}" is used since "default_cc_name" is not > valid. > > I ran the smbclient command and guess what happened? > Remember, the original error in the debug output with the valid parameter > name was this: > smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the caller may > retry after a kinit > > After I made the parameter name change to the heimdal version, the error > turned into this: > Failed to resolve credential cache 'KEYRING:persistent:1000'! (Unknown > credential cache type) >...

...n a valid ticket, > klist confirms this > > and that it's stored in the configured ccache. I then run > this command: > > smbclient //server.this.domain.com/share -k -d5 > > Here's a snippet of the debug output, pay particular > attention to the > > "smb_gss_krb5_import_cred" line: > > > > ----- > > session request ok > > negotiated dialect[SMB3_11] against server[server.this.domain.com] > > cli_session_setup_spnego_send: Connect to server.this.domain.com as > > user at THIS.DOMAIN.COM using SPNEGO > > Starting GENSEC mech...

Hi, I've changed /etc/resolv.conf, rebooted, here is the output: cat /etc/resolv.conf domain rona.loc search rona.loc nameserver 192.168.19.2 ------ smbclient -L $(hostname -f) -UAdministrator%<password> -d5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5

..., security = ads can only be used when the net utilities were used to join the computer into the domain, which was not the case. Changing to security = ads results in a different error, this time, in log.smbd [2024/07/12 17:49:16.409171, ?5] ../../source3/librpc/crypto/gse.c:301(gse_init_client) ? smb_gss_krb5_import_cred ccache[MEMORY:prtpub_cache] failed with [ Miscellaneous failure (see text): unknown mech-code?2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. # COMMENT: sssd could successfully sign user in with Kerberos, so not sure why this error. This seems to be using the /etc/krb5.keytab...

...ot;, overwrite the > smb.conf with the > custom one > - run "smbclient //server.this.domain.com/share -U domainuser -k -d5" > - smbclient tries to import the incorrect, non-existent > kerberos ccache and > fails to authenticate > - key debug output snippet: "smb_gss_krb5_import_cred > ccache[FILE:/tmp/krb5cc_1000] failed ... the caller may retry > after a kinit" > - the versions of the components are: smbclient > 4.11.6-Ubuntu and krb5 1.17 > > If I follow a similar process as above on CentOS the > smbclient imports from > the correct ccache a...

Are there any logs on the client or server at a higher log level? Andrew Bartlett On Wed, 2020-05-20 at 12:39 +1200, Grant Petersen via samba wrote: > I forgot to mention that using the smbclient option > > -A /etc/cred/authfile > > behaves the same way as attempting to manually enter the password on > the command line; failing in 4.12.2 and working in 4.11.0 > >

...#39;sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 smb_gss_krb5_import_cred ccache[MEMORY:net_ads] failed with [Unspecified GSS failure. Minor code may provide more information: No credentials cache found] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/windc04.dom...