[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"

Tue Oct 29 08:36:03 UTC 2019

Hi Nathaniel,

> ubuntu at kvm7246-vm022:~/samba$ smbclient //`hostname`/test -U

could you use your fqdn instead of hostname command, just to be sure 
that your hostname is properly configured (seen that in the past).

> administrator at tc84.local

You are using a domain in .local, be sure that avahi-daemon is not 
running otherwise you might get strange DNS resolution.

> Enter administrator at tc84.local's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> ubuntu at kvm7246-vm022:~/samba$

Just to be sure, did you do a kinit before hand? What do you have in 
your klist after smbclient command? Can you resolv DNS of both domains?

Cheers,

Denis

>
> (Logs from each smbclient attempt are at
> https://drive.google.com/open?id=1_355NuN1L9BW5JvtP9WG-dEGkaQqNT3Y)
>
> The logs seem to show that in the "localhost" cases, the final
> authentication step uses "GENSEC submechanism gse_krb5", while in the cases
> where the actual hostname is specified, the final authentication step uses
> "GENSEC submechanism ntlmssp". The Kerberos auth seems only to work if the
> authenticating user is in the local domain; if the user is in the other
> domain, it fails looking for a keytab entry that does not exist:
>
> Oct 28 20:02:26 kvm7246-vm022 smbd[30735]: [2019/10/28 20:02:26.429043,  5]
> ../../auth/gensec/gensec_start.c:737(gensec_start_mech)
> Oct 28 20:02:26 kvm7246-vm022 smbd[30735]:   Starting GENSEC submechanism
> gse_krb5
> Oct 28 20:02:26 kvm7246-vm022 smbd[30735]: [2019/10/28 20:02:26.430349,  1]
> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
> Oct 28 20:02:26 kvm7246-vm022 smbd[30735]:   gss_accept_sec_context failed
> with [ Miscellaneous failure (see text): Failed to find
> cifs/kvm7246-vm022 at TC84.LOCAL(kvno 10) in keytab MEMORY:cifs_srv_keytab
> (aes256-cts-hmac-sha1-96)]
>
> Is this expected behavior? A known issue? Am I doing something silly?
>

-- 
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr