[Samba] smbclient and Kerberos

Kevr kevr at protonmail.com
Fri Nov 4 21:19:03 UTC 2016 

I'm finding this a little odd as kinit seems to find the kdc okay, just smbclient fails.

host -t srv _kerberos._udp.lan resolves okay too. Could it be that my realm is simply LAN and dns suffix is lan be an issue? This is just a test set up in virtual box for a writeup I'm doing, hence the nonstandard suffixes.



Kevin Ratcliffe

Sent from [ProtonMail](https://protonmail.ch)



-------- Original Message --------
Subject: Re: [Samba] smbclient and Kerberos
Local Time: 4 November 2016 9:11 PM
UTC Time: 4 November 2016 21:11
From: mike at datacontrolsystems.com
To: Kevr <kevr at protonmail.com>
samba at lists.samba.org


The defaults for dns_lookup_realm and dns_lookup_kdc should be false and true respectively, but the samba team recommends using them explicitly, so that's what I do. My /etc/krb5.conf file doesn't include any of the stock lines included with the package from Ubuntu (which I believe is based on the MIT version of kerberos). My file includes the four lines in the previous message and only those four lines. Maybe something in the stock file causes the problem you're seeing.?





Mike E.



On Fri, Nov 4, 2016 at 5:01 PM, Kevr <kevr at protonmail.com> wrote:

Hmmmm. I'm using the stock krb5.conf installed by apt-get. So basically all I have is the default_realm set to my realm in [libdefaults]. I was under the impression that dns_lookup_kdc was true by default. Am I wrong?




Kevin Ratcliffe

Sent from [ProtonMail](https://protonmail.ch)




-------- Original Message --------
Subject: Re: [Samba] smbclient and Kerberos
Local Time: 4 November 2016 8:48 PM
UTC Time: 4 November 2016 20:48
From: samba at lists.samba.org
To: Kevr <kevr at protonmail.com>
samba at lists.samba.org <samba at lists.samba.org>

Mine seem to work fine also using Ubuntu 16.04.1 on the servers and a
separate workstation client. My /etc/krb5.conf files on the servers and
clients are all simply:

[libdefaults]
default_realm = REALM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true

Mike E.


On Fri, Nov 4, 2016 at 4:10 PM, Kevr via samba <samba at lists.samba.org>
wrote:

> Hi All
>
> Is this behaviour expected in smbclient:
>
> I have a kerberized Samba server and a share that works as expected on
> desktop clients, but when I use smbclient with a valid ticket with the -k
> flag I get a KDC lookup failure
>
> kev at client:/home/testuser$ smbclient -k -L //fileserver
> gss_init_sec_context failed with [ Miscellaneous failure (see text):
> unable to reach any KDC in realm LAN]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
> I've noticed that if I configure the KDC server in the [realm] section of
> my /etc/krb5.conf everything works fine.
>
> Does smbclient not use the DNS for KDC lookup?
>
> I am using version Version 4.3.11-Ubuntu on Ubuntu 16.04.1
>
> Thanks
>
>
>
> Kevin Ratcliffe
>
> Sent from [ProtonMail](https://protonmail.ch)
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list