Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?
Nathaniel W. Turner
nathanielwyliet at gmail.com
Wed Nov 27 19:57:27 UTC 2019
On Wed, Nov 27, 2019 at 4:33 AM Stefan Metzmacher <metze at samba.org> wrote:
> Did you take a wireshark capture to see the kerberos related packets?
> Does the client really provides a ticket for
> cifs/kvm7246-vm022.maas.local at TC83.LOCAL?
> Maybe the cifs/kvm7246-vm022.maas.local principal exists in both domains?
Ah, yes, this was the case. After confirming that the client is sending a
ticket for that principal name (via wireshark), I found and removed the
(stale) computer account from the tc84 domain (it was left over from a
prior test). Now I can authenticate as expected.
Should samba fall back to ntmlssp in this situation (stale computer account
in the client domain)?
As far as I know the principal name is ignored when accepting kerberos
> authentication, but maybe you hit
> or the ticket is just not for the server you try to connect.
I only partially grok the issue there. How can we determine if that's the
case? I suspect I can recreate the problem scenario easily by joining my
samba machine to tc84, then leaving the domain without removing the
computer account, and then re-joining tc83.
> Which kerberos library is used in you setup?
For this test, I'm building samba master from git, with default
configuration, so I think that means I'm using samba's built-in copy of
Heimdal. Is that right?
More information about the samba-technical