[Samba] GSSAPIAuthentication needs krb5.keytabe on one config, not on another one
fabien.toune at lapin-blanc.com
Sat May 5 10:55:54 UTC 2018
Hi, i'm using Samba 4.8.0 on one server, configured as an AD DC, and with
passwordless Putty from
joined Windows machines. Everything works fine, and it took me a lot of
searches and test/try to
make it that way.
Now, I'm trying to repeat the configuration on another server (both are
identical VMs) and I nearly
achieve the same goal, except for this : on the second setup, I have to
/etc/krb5.keytab for the GSSApiAuthentication to work. This is annoying,
because I have to do this
for every user I add.
Alas, I don't remember all the tweaks I made on my first setup, and can't
figure out where the
difference is... The only thing I notice is samba version 4.8.0 on the
first machine, 4.8.1 on the
second one, but I don't think it comes from there...
I test with this kind of commands :
- kinit someuser at SAMDOM.INTRA (klist OK after this)
- `which sshd` -o "GSSApiAuthentication yes" -d -D -p 2222 (on 1st terminal)
- ssh -o "GSSApiAuthentication yes" -vvv someuser at samdom.intra -p 2222 (on
whithout /etc/krb5.keytab, I have gss failure serverside, complaining about
"Key table entry not
found". With the keytab, everything is ok.
The exact same test on the first setup succeeds.
I've compared all files I could think of (/etc/krb5.conf,
Does anyone have an idea ?
More information about the samba