[Samba] cross-realm Kerberos trust with a third Windows domain
Duffey, Blake A.
Blake.Duffey at noblis.org
Tue Sep 28 05:21:57 MDT 2010
Here is our scenario. We have a Windows 2008 domain I'll call CORP and
an MIT realm I'll call REALM. There is a one-way trust (AES enabled)
such that users in the CORP domain can access REALM resources. If I log
into a CORP workstation, I can access REALM resources as expected
(including samba).
We have a third Windows 2008 domain I'll call LAB. If I log into a LAB
workstation as a CORP user, and try to get to a REALM samba share, it
won't connect and I get a very nondescript Windows error (normally a
'the network name no longer exists').
Using a packet capture and the 'klist ticket's command, I see I am
getting the correct cifs Kerberos ticket for the samba server. Other
kerberized resources (web, ssh) work - but samba won't connect. I am
fairly certain Kerberos is working correctly, but samba won't allow the
connection (I see SMB packets, but only about a half-dozen, and nothing
indicating what the error might be)
Is there any known reason why this configuration won't work? Is there a
workaround? Any suggestions on troubleshooting this?
Thanks much,
Blake
More information about the samba
mailing list