[Samba] GSSAPIAuthentication needs krb5.keytabe on one config, not on another one

Lapin Blanc fabien.toune at lapin-blanc.com
Sat May 5 10:55:54 UTC 2018


Hi, i'm using Samba 4.8.0 on one server, configured as an AD DC, and with
passwordless Putty from
joined Windows machines. Everything works fine, and it took me a lot of
searches and test/try to
make it that way.

Now, I'm trying to repeat the configuration on another server (both are
identical VMs) and I nearly
achieve the same goal, except for this : on the second setup, I have to
manually generate
/etc/krb5.keytab for the GSSApiAuthentication to work. This is annoying,
because I have to do this
for every user I add.
Alas, I don't remember all the tweaks I made on my first setup, and can't
figure out where the
difference is... The only thing I notice is samba version 4.8.0 on the
first machine, 4.8.1 on the
second one, but I don't think it comes from there...
I test with this kind of commands :

- kinit someuser at SAMDOM.INTRA (klist OK after this)
- `which sshd` -o "GSSApiAuthentication yes" -d -D -p 2222 (on 1st terminal)
- ssh -o  "GSSApiAuthentication yes" -vvv someuser at samdom.intra -p 2222 (on
2nd terminal)

whithout /etc/krb5.keytab, I have gss failure serverside, complaining about
"Key table entry not
found". With the keytab, everything is ok.
The exact same test on the first setup succeeds.
I've compared all files I could think of (/etc/krb5.conf,
/usr/local/samba/etc/smb.conf, /etc/nsswitch.conf)

Does anyone have an idea ?

Thanks !


More information about the samba mailing list