Chris chris2014 at postbox.xyz
Mon Dec 17 00:19:54 UTC 2018


using Samba as an AD (2k12) domain member in Stretch
(2:4.5.12+dfsg-2+deb9u4) with tdb as default and rid as domain backend.
No overlapping. Everything works fine. Setup was done as in the wiki

If you're connecting from a Windows 10 client and do not add

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes

to smb.conf, the SMB3_11 connection is closed, as soon as the service
ticket expires.

1. Some websites say, service tickets are only verified when connecting
to a server. Is this still true? Why is the connection timing out then?
Which tickets does the server renew? Machine account? Is this because of
mutual authentication or encryption? I thought tickets were handled by
the client?

2. Is this related to bug 13197 [2]? That's the only thing I could find
about this status code and it seems it's not fixed in version 4.5 in

3. Default kerberos method is secrets only - use only the secrets.tdb
for ticket verification. Why is this not sufficient? Why is
the /etc/krb5.keytab needed? It's not mentioned in the wiki [1], but in

- Chris

[1] https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
[2] https://bugzilla.samba.org/show_bug.cgi?id=13197
[3] https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

More information about the samba mailing list