[Samba] Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?
Nathaniel W. Turner
nathanielwyliet at gmail.com
Tue Nov 19 22:11:18 UTC 2019
Is it expected that samba will be looking for a principal of the form
"cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
My guess is no, since the keytab (as I'd expect) only contains keys for
principals in the server's domain, TC83.LOCAL. Is this a bug, or have I
configured something incorrectly?
On Tue, Nov 19, 2019 at 2:51 PM Nathaniel W. Turner <
nathanielwyliet at gmail.com> wrote:
> In case you missed the link in the original email, here's the smb.conf:
>
> [global]
> kerberos method = secrets and keytab
> logging = systemd
> realm = TC83.LOCAL
> security = ADS
> template homedir = /home/%U@%D
> template shell = /bin/bash
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> workgroup = TC83
> idmap config * : range = 1000000-19999999
> idmap config * : backend = autorid
>
>
> [test]
> path = /srv/test
> valid users = "@tc83.local\domain users" "@tc84.local\domain users"
>
>
> On Fri, Nov 15, 2019 at 3:02 PM Nathaniel W. Turner <
> nathanielwyliet at gmail.com> wrote:
>
>> Here's the keytab info:
>>
>> ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
>> 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1)
>> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
>> 12 host/KVM7246-VM022 at TC83.LOCAL (etype 3)
>> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes128-cts-hmac-sha1-96)
>> 12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
>> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (aes256-cts-hmac-sha1-96)
>> 12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
>> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
>> 12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
>> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
>> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1)
>> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
>> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3)
>> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL
>> (aes128-cts-hmac-sha1-96)
>> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
>> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL
>> (aes256-cts-hmac-sha1-96)
>> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
>> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
>> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
>> 12 KVM7246-VM022$@TC83.LOCAL (etype 1)
>> 12 KVM7246-VM022$@TC83.LOCAL (etype 3)
>> 12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96)
>> 12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96)
>> 12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac)
>>
>> The client is a Windows box, and I'm running this command:
>>
>> net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator
>>
>> I see the same behavior when I use smbclient:
>>
>> smbclient //kvm7246-vm022.maas.local/test -U administrator at tc84.local
>>
>> On Fri, Nov 15, 2019 at 2:20 PM banda bassotti <bandabasotti at gmail.com>
>> wrote:
>>
>>> Hi, please run the command:
>>>
>>> klist -ek /etc/krb5.keytab and post the output along with the file
>>> smb.conf.
>>> how do you access your share?
>>>
>>> \\kvm7246-vm022.maas.local\\
>>> <https://lists.samba.org/mailman/listinfo/samba>sharename"
>>>
>>> or something like that?
>>>
>>> bb.
>>>
>>>
>>>
>>> Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. Turner via samba <
>>> samba at lists.samba.org> ha scritto:
>>>
>>>> Hi all. I’m trying to understand a weird authentication failure:
>>>>
>>>> I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent
>>>> forest,
>>>> with a bidirectional forest trust.
>>>> The samba server kvm7246-vm022.maas.local is a domain member of TC83
>>>> and is
>>>> running a recent build from git master (f38077ea5ee).
>>>>
>>>> When I test authentication of users in each domain by running ntlm_auth
>>>> on
>>>> the samba server, it is successful for users in either domain.
>>>>
>>>> When I try to connect from a Windows client in TC84 using SMB, it is
>>>> only
>>>> successful for users in the TC83 domain. For users in the TC84 domain,
>>>> smbd
>>>> seems to go off the rails looking for a Kerberos machine principal in
>>>> the
>>>> TC84 domain, even though it is not a member of that domain (it's a
>>>> member
>>>> of TC83, which trusts TC84):
>>>>
>>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15
>>>> 15:53:04.524996, 1,
>>>> pid=15209, effective(0, 0), real(0, 0)]
>>>> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
>>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: gss_accept_sec_context
>>>> failed
>>>> with [ Miscellaneous failure (see text): Failed to find
>>>> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
>>>> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
>>>>
>>>> Why is smbd looking for a principal of the form
>>>> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
>>>>
>>>> n
>>>>
>>>> [See
>>>> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt2nQQ5cLpOQ
>>>> for
>>>> full logs and smb.conf]
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
More information about the samba
mailing list