[Samba] Samba authentication using non-AD Kerberos?

S P Arif Sahari Wibowo arifsaha at yahoo.com
Thu Apr 20 13:25:14 UTC 2017

On 2017-04-16, 19:06, S P Arif Sahari Wibowo via samba wrote:
> I was looking into samba wiki pages and cannot find 
> documentation for this. Generally most the documentation pages 
> either discussing samba as AD member or standalone.

So still looking at this.

So this is the state currently: kerberos setup (krb5.conf and 
keytab) is working in the server, I can do kinit properly. But 
setting of Samba still not working. Here is what I have in 

         workgroup = MYREALM
         server string = UATest Samba Server Version %v
         netbios name = myserver
         log file = /var/log/samba/log.%m
         max log size = 50
         security = ads
         realm = MYREALM.CA
         password server = mykerberos.myrealm.ca
         kerberos method = system keytab
         log level = 3 passdb:5 auth:10

         load printers = no
         cups options = raw
         printing = bsd
         comment = Temporary Stuff
         path = /tmp
         public = yes
         writable = yes
         printable = no

When I try to connect locally:

# kinit mykerbuser
Password for mykerbuser at MYREALM.CA:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mykerbuser at MYREALM.CA

Valid starting     Expires            Service principal
20/04/17 07:24:13  21/04/17 08:24:10  krbtgt/MYREALM.CA at MYREALM.CA
# smbclient -k -U mykerbuser -L localhost
session setup failed: NT_STATUS_IO_TIMEOUT

If I do tcpdump on the Kerberos server, I see this output 

07:18:55.708609 mykerberos.myrealm.ca > icmp: mykerberos.myrealm.ca udp port netbios-ns unreachable
07:18:56.709751 > mykerberos.myrealm.ca.netbios-ns: udp 50 (DF)

    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

More information about the samba mailing list