[Samba] Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?

Nathaniel W. Turner nathanielwyliet at gmail.com
Tue Nov 19 19:51:13 UTC 2019 

In case you missed the link in the original email, here's the smb.conf:

[global]
	kerberos method = secrets and keytab
	logging = systemd
	realm = TC83.LOCAL
	security = ADS
	template homedir = /home/%U@%D
	template shell = /bin/bash
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	workgroup = TC83
	idmap config * : range = 1000000-19999999
	idmap config * : backend = autorid


[test]
	path = /srv/test
	valid users = "@tc83.local\domain users" "@tc84.local\domain users"


On Fri, Nov 15, 2019 at 3:02 PM Nathaniel W. Turner <
nathanielwyliet at gmail.com> wrote:

> Here's the keytab info:
>
> ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
>   12 host/KVM7246-VM022 at TC83.LOCAL (etype 1)
>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
>   12 host/KVM7246-VM022 at TC83.LOCAL (etype 3)
>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96)
>   12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96)
>   12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
>   12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1)
>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3)
>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL
> (aes128-cts-hmac-sha1-96)
>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL
> (aes256-cts-hmac-sha1-96)
>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
>   12 KVM7246-VM022$@TC83.LOCAL (etype 1)
>   12 KVM7246-VM022$@TC83.LOCAL (etype 3)
>   12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96)
>   12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96)
>   12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac)
>
> The client is a Windows box, and I'm running this command:
>
> net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator
>
> I see the same behavior when I use smbclient:
>
> smbclient //kvm7246-vm022.maas.local/test -U administrator at tc84.local
>
> On Fri, Nov 15, 2019 at 2:20 PM banda bassotti <bandabasotti at gmail.com>
> wrote:
>
>> Hi, please run the command:
>>
>> klist -ek /etc/krb5.keytab and post the output along with the file
>> smb.conf.
>> how do you access your share?
>>
>> \\kvm7246-vm022.maas.local\\
>> <https://lists.samba.org/mailman/listinfo/samba>sharename"
>>
>> or something like that?
>>
>> bb.
>>
>>
>>
>> Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba <
>> samba at lists.samba.org> ha scritto:
>>
>>> Hi all. I’m trying to understand a weird authentication failure:
>>>
>>> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent
>>> forest,
>>> with a bidirectional forest trust.
>>> The samba server kvm7246-vm022.maas.local is a domain member of TC83 and
>>> is
>>> running a recent build from git master (f38077ea5ee).
>>>
>>> When I test authentication of users in each domain by running ntlm_auth
>>> on
>>> the samba server, it is successful for users in either domain.
>>>
>>> When I try to connect from a Windows client in TC84 using SMB, it is only
>>> successful for users in the TC83 domain. For users in the TC84 domain,
>>> smbd
>>> seems to go off the rails looking for a Kerberos machine principal in the
>>> TC84 domain, even though it is not a member of that domain (it's a member
>>> of TC83, which trusts TC84):
>>>
>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15 15:53:04.524996,
>>> 1,
>>> pid=15209, effective(0, 0), real(0, 0)]
>>> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]:   gss_accept_sec_context
>>> failed
>>> with [ Miscellaneous failure (see text): Failed to find
>>> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
>>> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
>>>
>>> Why is smbd looking for a principal of the form
>>> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
>>>
>>> n
>>>
>>> [See
>>> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ
>>> for
>>> full logs and smb.conf]
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>

More information about the samba mailing list