[Samba] Re: smbclient kerberos issue

Ryan Bair ryandbair at gmail.com
Sun Oct 5 18:44:22 GMT 2008


It wasn't so much that the records weren't in the keytab as much as
the fact that the SPNs just weren't being created. Even when I added
additional principals, I was only getting the shortname version.

In my initial test environment, I wasn't able to replicate the
problem. I ended up cloning the problem system to my test environment
and I was able to reproduce the error.

It seems like it was a problem avahi which mistakenly made its way
into my nsswitch.conf. After removing mdns4_minimal and mdns4, I
rejoined to the domain and everything works great. I'm a bit confused
as to how this caused the problem, but I'm very happy to have it
fixed!

Thanks

On Sat, Oct 4, 2008 at 2:45 PM, Gerald (Jerry) Carter <jerry at samba.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ryan Bair wrote:
>> This seems to be related to this entry on the list in 2004-2005. As
>> far as I see, the issue was never fixed. This is a pretty big issue if
>> it is indeed the same bug as it effectively stops *nix clients from
>> using Kerberos authentication.
>>
>> http://lists.samba.org/archive/samba-technical/2005-April/040338.html
>>
>> I will try to work around using "setspn -A host/fqdn computer". Will
>> "net ads keytab create" pull all the SPNs available for the client or
>> is it set only do load the default ones?
>
> We don't add cifs/... entries to the system keytab anymore.
> If I understand you correctly, you are using smbclient to connect
> from one Unix box to a Samba server.  Correct?  If so, smbd
> validates the service ticket using the machine trust account
> password stored in secrets.tdb so the keytab entries don't
> generally come into play.
>
> The keytab is provided to support non-Samba kerberized applications
> such as sshd.
>
>
>
> cheers, jerry
> - --
> =====================================================================
> Samba                                    ------- http://www.samba.org
> Likewise Software          ---------  http://www.likewisesoftware.com
> "What man is a man who does not make the world better?"      --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFI57nTIR7qMdg1EfYRAuKPAJ9Z9bP0QJchsYJ6laQJODFAgu2vQwCg3F1+
> LjrMmz7trKtLBdsEOvzK8ww=
> =jy1l
> -----END PGP SIGNATURE-----
>


More information about the samba mailing list