[Samba] Samba Authentication With Kerberos
Andrew Bartlett
abartlet at samba.org
Mon Jan 28 07:32:01 MST 2013
On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
> Hi All,
>
> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
To be clear, is this Samba 4.0 as an AD DC, or as a member server in
another AD domain?
> The command I execute is:
>
> smbclient -L localhost -k
>
> The error message from Samba is:
>
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
smbclient should never do kerberos to "localhost" because we can never
know which "localhost" that is. If you have somehow registered a
'localhost' as a servicePrincipalName, then this is likely the cause of
the issue. (This error indicates that the key you got from the KDC is
not the key that the server has in it's secrets database/keytab.)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list