[Samba] Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?

banda bassotti bandabasotti at gmail.com
Fri Nov 15 19:20:11 UTC 2019

Hi, please run the command:

klist -ek /etc/krb5.keytab and post the output along with the file smb.conf.
how do you access your share?


or something like that?


Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba <
samba at lists.samba.org> ha scritto:

> Hi all. I’m trying to understand a weird authentication failure:
> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest,
> with a bidirectional forest trust.
> The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is
> running a recent build from git master (f38077ea5ee).
> When I test authentication of users in each domain by running ntlm_auth on
> the samba server, it is successful for users in either domain.
> When I try to connect from a Windows client in TC84 using SMB, it is only
> successful for users in the TC83 domain. For users in the TC84 domain, smbd
> seems to go off the rails looking for a Kerberos machine principal in the
> TC84 domain, even though it is not a member of that domain (it's a member
> of TC83, which trusts TC84):
> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996,  1,
> pid=15209, effective(0, 0), real(0, 0)]
> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]:   gss_accept_sec_context failed
> with [ Miscellaneous failure (see text): Failed to find
> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> Why is smbd looking for a principal of the form
> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
> n
> [See
> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ
> for
> full logs and smb.conf]
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list