Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?

Nathaniel W. Turner nathanielwyliet at gmail.com
Wed Nov 27 19:57:27 UTC 2019

Hi metze,

On Wed, Nov 27, 2019 at 4:33 AM Stefan Metzmacher <metze at samba.org> wrote:

> Did you take a wireshark capture to see the kerberos related packets?
> Does the client really provides a ticket for
> cifs/kvm7246-vm022.maas.local at TC83.LOCAL?
> Maybe the cifs/kvm7246-vm022.maas.local principal exists in both domains?

Ah, yes, this was the case. After confirming that the client is sending a
ticket for that principal name (via wireshark), I found and removed the
(stale) computer account from the tc84 domain (it was left over from a
prior test). Now I can authenticate as expected.

Should samba fall back to ntmlssp in this situation (stale computer account
in the client domain)?

As far as I know the principal name is ignored when accepting kerberos
> authentication, but maybe you hit
> https://bugzilla.samba.org/show_bug.cgi?id=14125
> or the ticket is just not for the server you try to connect.

I only partially grok the issue there. How can we determine if that's the
case? I suspect I can recreate the problem scenario easily by joining my
samba machine to tc84, then leaving the domain without removing the
computer account, and then re-joining tc83.

> Which kerberos library is used in you setup?

For this test, I'm building samba master from git, with default
configuration, so I think that means I'm using samba's built-in copy of
Heimdal. Is that right?

More information about the samba-technical mailing list