[Samba] Re: smbclient kerberos issue
ryandbair at gmail.com
Sun Oct 5 18:44:22 GMT 2008
It wasn't so much that the records weren't in the keytab as much as
the fact that the SPNs just weren't being created. Even when I added
additional principals, I was only getting the shortname version.
In my initial test environment, I wasn't able to replicate the
problem. I ended up cloning the problem system to my test environment
and I was able to reproduce the error.
It seems like it was a problem avahi which mistakenly made its way
into my nsswitch.conf. After removing mdns4_minimal and mdns4, I
rejoined to the domain and everything works great. I'm a bit confused
as to how this caused the problem, but I'm very happy to have it
On Sat, Oct 4, 2008 at 2:45 PM, Gerald (Jerry) Carter <jerry at samba.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Ryan Bair wrote:
>> This seems to be related to this entry on the list in 2004-2005. As
>> far as I see, the issue was never fixed. This is a pretty big issue if
>> it is indeed the same bug as it effectively stops *nix clients from
>> using Kerberos authentication.
>> I will try to work around using "setspn -A host/fqdn computer". Will
>> "net ads keytab create" pull all the SPNs available for the client or
>> is it set only do load the default ones?
> We don't add cifs/... entries to the system keytab anymore.
> If I understand you correctly, you are using smbclient to connect
> from one Unix box to a Samba server. Correct? If so, smbd
> validates the service ticket using the machine trust account
> password stored in secrets.tdb so the keytab entries don't
> generally come into play.
> The keytab is provided to support non-Samba kerberized applications
> such as sshd.
> cheers, jerry
> - --
> Samba ------- http://www.samba.org
> Likewise Software --------- http://www.likewisesoftware.com
> "What man is a man who does not make the world better?" --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
More information about the samba