[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
dcardon at tranquil.it
Tue Oct 29 08:36:03 UTC 2019
> ubuntu at kvm7246-vm022:~/samba$ smbclient //`hostname`/test -U
could you use your fqdn instead of hostname command, just to be sure
that your hostname is properly configured (seen that in the past).
> administrator at tc84.local
You are using a domain in .local, be sure that avahi-daemon is not
running otherwise you might get strange DNS resolution.
> Enter administrator at tc84.local's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> ubuntu at kvm7246-vm022:~/samba$
Just to be sure, did you do a kinit before hand? What do you have in
your klist after smbclient command? Can you resolv DNS of both domains?
> (Logs from each smbclient attempt are at
> The logs seem to show that in the "localhost" cases, the final
> authentication step uses "GENSEC submechanism gse_krb5", while in the cases
> where the actual hostname is specified, the final authentication step uses
> "GENSEC submechanism ntlmssp". The Kerberos auth seems only to work if the
> authenticating user is in the local domain; if the user is in the other
> domain, it fails looking for a keytab entry that does not exist:
> Oct 28 20:02:26 kvm7246-vm022 smbd: [2019/10/28 20:02:26.429043, 5]
> Oct 28 20:02:26 kvm7246-vm022 smbd: Starting GENSEC submechanism
> Oct 28 20:02:26 kvm7246-vm022 smbd: [2019/10/28 20:02:26.430349, 1]
> Oct 28 20:02:26 kvm7246-vm022 smbd: gss_accept_sec_context failed
> with [ Miscellaneous failure (see text): Failed to find
> cifs/kvm7246-vm022 at TC84.LOCAL(kvno 10) in keytab MEMORY:cifs_srv_keytab
> Is this expected behavior? A known issue? Am I doing something silly?
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba