Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?
Stefan Metzmacher
metze at samba.org
Wed Nov 27 09:33:34 UTC 2019
Am 26.11.19 um 20:55 schrieb Nathaniel W. Turner via samba-technical:
> Perhaps someone on samba-technical can answer a slightly different question
> about this: Since I know that this configuration can successfully
> authenticate users in both domains when NTLMSSP is used, it would be nice
> if it could fall back to ntlmssp after gse_krb5 fails to find a keytab
> entry for the (seemingly bogus) principal name. Is that possible given the
> protocol constraints?
>
> This seems similar in some respects to
> https://bugzilla.samba.org/show_bug.cgi?id=14106, though that case is
> different, as my server *is* an AD domain member, and in that issue, the
> server is *not* a domain member, and is starting out with GENSEC mechanism
> spnego from the beginning, and just choking on a client token that doesn't
> make sense in that context (if I understand it correctly).
>
> If it's not possible for the server to fall back to ntlmssp after going
> partway down the gse_krb5 path, would be be reasonable to somehow
> disable krb5 for client authentication (while still using it for
> communication with the domain controllers, of course)? As a practical
> matter, Windows domain member clients seem to work fine when samba just
> uses ntlmssp (which it seems you can force by using an IP address instead
> of a hostname in the UNC path when connecting), but maybe there are
> scenarios where that's not the case.
Did you take a wireshark capture to see the kerberos related packets?
Does the client really provides a ticket for
cifs/kvm7246-vm022.maas.local at TC83.LOCAL?
Maybe the cifs/kvm7246-vm022.maas.local principal exists in both domains?
As far as I know the principal name is ignored when accepting kerberos
authentication, but maybe you hit
https://bugzilla.samba.org/show_bug.cgi?id=14125
or the ticket is just not for the server you try to connect.
Which kerberos library is used in you setup?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20191127/1626e69b/signature.sig>
More information about the samba-technical
mailing list