[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
Denis Cardon
dcardon at tranquil.it
Tue Oct 29 08:36:03 UTC 2019
Hi Nathaniel,
> ubuntu at kvm7246-vm022:~/samba$ smbclient //`hostname`/test -U
could you use your fqdn instead of hostname command, just to be sure
that your hostname is properly configured (seen that in the past).
> administrator at tc84.local
You are using a domain in .local, be sure that avahi-daemon is not
running otherwise you might get strange DNS resolution.
> Enter administrator at tc84.local's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> ubuntu at kvm7246-vm022:~/samba$
Just to be sure, did you do a kinit before hand? What do you have in
your klist after smbclient command? Can you resolv DNS of both domains?
Cheers,
Denis
>
> (Logs from each smbclient attempt are at
> https://drive.google.com/open?id=1_355NuN1L9BW5JvtP9WG-dEGkaQqNT3Y)
>
> The logs seem to show that in the "localhost" cases, the final
> authentication step uses "GENSEC submechanism gse_krb5", while in the cases
> where the actual hostname is specified, the final authentication step uses
> "GENSEC submechanism ntlmssp". The Kerberos auth seems only to work if the
> authenticating user is in the local domain; if the user is in the other
> domain, it fails looking for a keytab entry that does not exist:
>
> Oct 28 20:02:26 kvm7246-vm022 smbd[30735]: [2019/10/28 20:02:26.429043, 5]
> ../../auth/gensec/gensec_start.c:737(gensec_start_mech)
> Oct 28 20:02:26 kvm7246-vm022 smbd[30735]: Starting GENSEC submechanism
> gse_krb5
> Oct 28 20:02:26 kvm7246-vm022 smbd[30735]: [2019/10/28 20:02:26.430349, 1]
> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
> Oct 28 20:02:26 kvm7246-vm022 smbd[30735]: gss_accept_sec_context failed
> with [ Miscellaneous failure (see text): Failed to find
> cifs/kvm7246-vm022 at TC84.LOCAL(kvno 10) in keytab MEMORY:cifs_srv_keytab
> (aes256-cts-hmac-sha1-96)]
>
> Is this expected behavior? A known issue? Am I doing something silly?
>
--
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it
Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba
mailing list