[Samba] samba3 and kerberos authentication of users

David Komanek xdavid at lib-eth.natur.cuni.cz
Thu May 26 08:05:49 GMT 2005

Hi all,

this is probably VFAQ, but I never found a working solution. I have a 
standalone samba server running samba ver. 3. In the network, we have 
heimdal kerberos used to authenticate users for pop3,imap,web-based 
applications etc. Now I would like to make the samba communicating with 
kerberos kdc so there will no longer be users in smbpasswd with separate 
passwords outside of kerberos.

I already compiled samba with --with-krb5 configure switch and have 
following options in smb.conf:

client use spnego = yes
use kerberos keytab = yes

While it is heimdal's kerberos implementation, I added

default_keytab_name = FILE:/etc/krb5.keytab

to the [libdefaults] section of /etc/krb5.conf
as I saw somewhere. But this is still not working for me:

Debud on the client side:

$ smbclient -d3 -U komanek //
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file 
Processing section "[global]"
added interface ip= bcast= nmask=
added interface ip=a.b.c.d bcast=a.b.c.255 
Client started (version 3.0.14a).
Connecting to at port 445
Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x608a0215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

using -k switch in smbclient disables password prompt, but in other 
aspects it has the same behavior, regardless I have valid kerberos ticket 
or not.

Debug on the server side:

[2005/05/26 09:50:15, 4] lib/username.c:map_username(132)
   Scanning username map /usr/local/etc/samba/smbusers
[2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info_map(224)
   make_user_info_map: Mapping user [XXX.NATUR.CUNI.CZ]\[komanek] from 
workstation [XXX]
[2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(132)
   attempting to make a user_info for komanek (komanek)
[2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(142)
   making strings for komanek's user_info struct
[2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(184)
   making blobs for komanek's user_info struct
[2005/05/26 09:50:15, 10] auth/auth_util.c:make_user_info(200)
   made an encrypted user_info for komanek (komanek)
[2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user 
[XXX.NATUR.CUNI.CZ]\[komanek]@[XXX] with the new password interface
[2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is: [XXX]\[komanek]@[XXX]
[2005/05/26 09:50:15, 10] auth/auth.c:check_ntlm_password(231)

What should I do to make the kerberos authentication in samba working ?

Thanks in advance,

   David Komanek

More information about the samba mailing list