Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?

Stefan Metzmacher metze at samba.org
Wed Nov 27 09:33:34 UTC 2019

Am 26.11.19 um 20:55 schrieb Nathaniel W. Turner via samba-technical:
> Perhaps someone on samba-technical can answer a slightly different question
> about this: Since I know that this configuration can successfully
> authenticate users in both domains when NTLMSSP is used, it would be nice
> if it could fall back to ntlmssp after gse_krb5 fails to find a keytab
> entry for the (seemingly bogus) principal name. Is that possible given the
> protocol constraints?
> This seems similar in some respects to
> https://bugzilla.samba.org/show_bug.cgi?id=14106, though that case is
> different, as my server *is* an AD domain member, and in that issue, the
> server is *not* a domain member, and is starting out with GENSEC mechanism
> spnego from the beginning, and just choking on a client token that doesn't
> make sense in that context (if I understand it correctly).
> If it's not possible for the server to fall back to ntlmssp after going
> partway down the gse_krb5 path, would be be reasonable to somehow
> disable krb5 for client authentication (while still using it for
> communication with the domain controllers, of course)? As a practical
> matter, Windows domain member clients seem to work fine when samba just
> uses ntlmssp (which it seems you can force by using an IP address instead
> of a hostname in the UNC path when connecting), but maybe there are
> scenarios where that's not the case.

Did you take a wireshark capture to see the kerberos related packets?
Does the client really provides a ticket for
cifs/kvm7246-vm022.maas.local at TC83.LOCAL?
Maybe the cifs/kvm7246-vm022.maas.local principal exists in both domains?

As far as I know the principal name is ignored when accepting kerberos
authentication, but maybe you hit
or the ticket is just not for the server you try to connect.

Which kerberos library is used in you setup?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20191127/1626e69b/signature.sig>

More information about the samba-technical mailing list