[Samba] Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?
bandabasotti at gmail.com
Fri Nov 15 19:20:11 UTC 2019
Hi, please run the command:
klist -ek /etc/krb5.keytab and post the output along with the file smb.conf.
how do you access your share?
or something like that?
Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba <
samba at lists.samba.org> ha scritto:
> Hi all. I’m trying to understand a weird authentication failure:
> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest,
> with a bidirectional forest trust.
> The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is
> running a recent build from git master (f38077ea5ee).
> When I test authentication of users in each domain by running ntlm_auth on
> the samba server, it is successful for users in either domain.
> When I try to connect from a Windows client in TC84 using SMB, it is only
> successful for users in the TC83 domain. For users in the TC84 domain, smbd
> seems to go off the rails looking for a Kerberos machine principal in the
> TC84 domain, even though it is not a member of that domain (it's a member
> of TC83, which trusts TC84):
> Nov 15 15:53:04 kvm7246-vm022 smbd: [2019/11/15 15:53:04.524996, 1,
> pid=15209, effective(0, 0), real(0, 0)]
> Nov 15 15:53:04 kvm7246-vm022 smbd: gss_accept_sec_context failed
> with [ Miscellaneous failure (see text): Failed to find
> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> Why is smbd looking for a principal of the form
> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
> full logs and smb.conf]
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba