[Samba] Problem with keytab: "Client not found in Kerberos database"

Rowland Penny rpenny at samba.org
Wed Dec 21 16:36:21 UTC 2016

On Wed, 21 Dec 2016 15:26:41 +0000
Brian Candler <b.candler at pobox.com> wrote:

> On 20/12/2016 14:10, Rowland Penny wrote:
> >> I can't use rlm_krb5, because I plan to use PEAP+MSCHAP for wifi
> >> authentication. The krb5 module requires a cleartext password, but
> >> MSCHAP does not pass a cleartext password. (It is possible to use
> >> krb5 authentication with TTLS+PAP or TTLS+GTC, both of which send a
> >> cleartext password)
> > You might want to read this:
> >
> > https://www.samba.org/samba/history/samba-4.5.0.html
> I'm not sure which section you mean is relevant. Maybe this:
> "When doing a PKINIT based Kerberos logon the KDC adds the
> required PAC_CREDENTIAL_INFO element to the authorization data.
> That means the NTHASH is shared between the PKINIT based client and
> the domain controller, which allows the client to do NTLM based
> authentication on behalf of the user."
> That sounds cool, but I can already use ntlm_auth to validate the
> MSCHAP passwords. Modifying FreeRADIUS to be able to do this via
> Kerberos doesn't gain me much.
> The other thing which I'd already noticed was the server-side storage
> of GPG-encrypted plaintext passwords. It doesn't make a difference to 
> MSCHAP, but it'll be useful if I end up using an auth method which 
> requires the server to have the cleartext password (e.g. EAP-PWD)
> Cheers,
> Brian.

No, I meant the info at the top that now states that MSCHAP probably
wont work without modifying smb.conf.


More information about the samba mailing list