[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k

Marlon Franco lonmarlon at yahoo.com
Mon Feb 24 14:56:39 UTC 2020


I migrated our OLD system to a NEW Debian 10
I can verify that ldap and kerberos are working but i am having issue with samba which is also configured for kerberos
NEW - Debian Buster with samba 4.9.5
OLD - Debian Wheezy with Samba 3.6.6 

root at sample:~# kinit abcd
Password for abcd at TEST.DE: 
root at sample:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: abcd at TEST.DE

Valid starting Expires Service principal
02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE
 renew until 03/02/2020 11:00:47

root at sample:~# smbclient -k -L //sample.test.de/ -d 2
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface enp0s3 ip= bcast= netmask=
session setup failed: NT_STATUS_ACCESS_DENIED

root at sample:~# smbclient -L localhost -Uabcd
Enter TEST.DE\abcd's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

root at sample:~# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------

 2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac) 
 2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac) 

root at sample:~# kvno cifs/sample at TEST.DE
cifs/sample at TEST.DE: kvno = 2

here is my smb.conf


    workgroup = test.de
    security = user
    realm = TEST.DE
    kerberos method = system keytab
    domain logons = yes
    logon path = \\%N\%U\windowsprofile
    logon drive = H:
    logon home = \\%N\%U
    wins support = no
    logon script = logon.cmd
    add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u 

      log file = /var/log/samba/log.%m

    max log size = 1000

More information about the samba mailing list