[Samba] Samba Authentication With Kerberos

Fabian von Romberg fromberg100 at hotmail.com
Mon Jan 28 10:22:51 MST 2013


Hi Andrew,

it is Samba 4 and the server role is active directory domain controller.

Thanks and regards,
Fabian

On 28/01/2013 9:32, Andrew Bartlett wrote:
> On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
>> Hi All,
>>
>> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
>
> To be clear, is this Samba 4.0 as an AD DC, or as a member server in
> another AD domain?
>
>> The command I execute is:
>>
>> smbclient -L localhost -k
>>
>> The error message from Samba is:
>>
>> using SPNEGO
>> Selected protocol [8][NT LANMAN 1.0]
>> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>
> smbclient should never do kerberos to "localhost" because we can never
> know which "localhost" that is.  If you have somehow registered a
> 'localhost' as a servicePrincipalName, then this is likely the cause of
> the issue.  (This error indicates that the key you got from the KDC is
> not the key that the server has in it's secrets database/keytab.)
>
> Andrew Bartlett
>



More information about the samba mailing list