[Samba] Samba Authentication With Kerberos

Andrew Bartlett abartlet at samba.org
Mon Jan 28 07:32:01 MST 2013

On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
> Hi All,
> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.

To be clear, is this Samba 4.0 as an AD DC, or as a member server in
another AD domain?

> The command I execute is:
> smbclient -L localhost -k
> The error message from Samba is:
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96

smbclient should never do kerberos to "localhost" because we can never
know which "localhost" that is.  If you have somehow registered a
'localhost' as a servicePrincipalName, then this is likely the cause of
the issue.  (This error indicates that the key you got from the KDC is
not the key that the server has in it's secrets database/keytab.)

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list