[Samba] GSSAPI authentication issue with samba as AD DC.
Hiroo Ono (小野寛生)
hiroo.ono+freebsd at gmail.com
Sun May 17 05:30:15 UTC 2020
Thank you.
I deleted the spn and re-added it without ream part.
Now, I succeeded imtest. All seem to work well.
2020年5月17日(日) 13:38 Andrew Bartlett <abartlet at samba.org>:
> On Sun, 2020-05-17 at 09:09 +0900, Hiroo Ono (小野寛生) via samba wrote:
>
> > I created a user and an SPN as in the mail above,
> >
> > # samba-tool user create --random-password imap-nowhere
> > # samba-tool spn add
> > imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET imap-nowhere
>
> Don't use the @REALM part. An SPN in Samba doesn't have the realm.
>
> > The authentication step from member to DC seems OK.
> > But, DC returns:
> >
> > KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
> >
> > where valid TGS-REP is expected.
>
> Yeah, that will be because it is looking for it without the realm.
>
> A patch to the client tool to reject this would be a very good idea.
>
>
More information about the samba
mailing list