[Samba] Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?

Nathaniel W. Turner nathanielwyliet at gmail.com
Fri Nov 15 17:23:30 UTC 2019


Hi all. I’m trying to understand a weird authentication failure:

I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest,
with a bidirectional forest trust.
The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is
running a recent build from git master (f38077ea5ee).

When I test authentication of users in each domain by running ntlm_auth on
the samba server, it is successful for users in either domain.

When I try to connect from a Windows client in TC84 using SMB, it is only
successful for users in the TC83 domain. For users in the TC84 domain, smbd
seems to go off the rails looking for a Kerberos machine principal in the
TC84 domain, even though it is not a member of that domain (it's a member
of TC83, which trusts TC84):

Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996,  1,
pid=15209, effective(0, 0), real(0, 0)]
../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
Nov 15 15:53:04 kvm7246-vm022 smbd[15209]:   gss_accept_sec_context failed
with [ Miscellaneous failure (see text): Failed to find
cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]

Why is smbd looking for a principal of the form
"cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?

n

[See
https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ for
full logs and smb.conf]


More information about the samba mailing list