[Samba] Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?

Nathaniel W. Turner nathanielwyliet at gmail.com
Fri Nov 15 20:02:02 UTC 2019 

Here's the keytab info:

ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
  12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
  12 host/KVM7246-VM022 at TC83.LOCAL (etype 1)
  12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
  12 host/KVM7246-VM022 at TC83.LOCAL (etype 3)
  12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96)
  12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
  12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96)
  12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
  12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
  12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
  12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
  12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1)
  12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
  12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3)
  12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96)
  12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
  12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96)
  12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
  12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
  12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
  12 KVM7246-VM022$@TC83.LOCAL (etype 1)
  12 KVM7246-VM022$@TC83.LOCAL (etype 3)
  12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96)
  12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96)
  12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac)

The client is a Windows box, and I'm running this command:

net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator

I see the same behavior when I use smbclient:

smbclient //kvm7246-vm022.maas.local/test -U administrator at tc84.local

On Fri, Nov 15, 2019 at 2:20 PM banda bassotti <bandabasotti at gmail.com>
wrote:

> Hi, please run the command:
>
> klist -ek /etc/krb5.keytab and post the output along with the file
> smb.conf.
> how do you access your share?
>
> \\kvm7246-vm022.maas.local\\
> <https://lists.samba.org/mailman/listinfo/samba>sharename"
>
> or something like that?
>
> bb.
>
>
>
> Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba <
> samba at lists.samba.org> ha scritto:
>
>> Hi all. I’m trying to understand a weird authentication failure:
>>
>> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest,
>> with a bidirectional forest trust.
>> The samba server kvm7246-vm022.maas.local is a domain member of TC83 and
>> is
>> running a recent build from git master (f38077ea5ee).
>>
>> When I test authentication of users in each domain by running ntlm_auth on
>> the samba server, it is successful for users in either domain.
>>
>> When I try to connect from a Windows client in TC84 using SMB, it is only
>> successful for users in the TC83 domain. For users in the TC84 domain,
>> smbd
>> seems to go off the rails looking for a Kerberos machine principal in the
>> TC84 domain, even though it is not a member of that domain (it's a member
>> of TC83, which trusts TC84):
>>
>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996,
>> 1,
>> pid=15209, effective(0, 0), real(0, 0)]
>> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]:   gss_accept_sec_context failed
>> with [ Miscellaneous failure (see text): Failed to find
>> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
>> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
>>
>> Why is smbd looking for a principal of the form
>> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
>>
>> n
>>
>> [See
>> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ
>> for
>> full logs and smb.conf]
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

More information about the samba mailing list