[Samba] krb5_kt_start_seq_get failed (Permission denied)

L.P.H. van Belle belle at bazuin.nl
Thu Jul 23 09:35:27 UTC 2020 

Try this : 

    #source: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262

Add in /etc/krb5.conf in [libdefaults]
   ignore_k5login = true 

Did it help? 

If (as in my case) root is not allowed in the user homdirs it can validateon  $HOME/.k5login 
Above fixed it for me.

I only cant tell based on the config if this applies to you. 
Its a simple thing to try. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Yakov Revyakin via samba
> Verzonden: donderdag 23 juli 2020 11:20
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] krb5_kt_start_seq_get failed 
> (Permission denied)
> 
> Ubuntu 18.04 LTS
> 
> root is owner
> 
> In case of 644
> d at uc-sm18:~$ sudo ls -la /etc/krb5.keytab
> -rw-r--r-- 1 root root 1122 Jul 17 13:16 /etc/krb5.keytab
> 
> [global]
>    workgroup = SVITLA3
>    security = ADS
>    realm = SVITLA3.ROOM
> 
>    winbind refresh tickets = Yes
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
> 
>    winbind enum users = yes
>    winbind enum groups = yes
> 
>    winbind offline logon = yes
> 
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
> 
>    log file = /var/log/samba/%m.log
>    log level = 1 auth:9 kerberos:9 winbind:9
>    debug timestamp = no
> 
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
> 
>    idmap config SVITLA3:backend = ad
>    idmap config SVITLA3:schema_mode = rfc2307
>    idmap config SVITLA3:range = 20000-29999
>    idmap config SVITLA3:unix_nss_info = yes
> 
>    template shell = /bin/bash
>    template homedir = /home/%U
> 
> 
> On Thu, 23 Jul 2020 at 11:10, Rowland penny via samba 
> <samba at lists.samba.org>
> wrote:
> 
> > On 23/07/2020 06:28, Yakov Revyakin via samba wrote:
> > > On a DOMAIN Linux member in log.wb_DOMAIN I can see the 
> error message
> > > "krb5_kt_start_seq_get failed (Permission denied)" during 
> any attempt of
> > > user authentication.
> > > In result a user is authenticated successfully. But what does this
> > message
> > > mean?
> > >
> > > My krb5.keytab has permissions 600 by default.
> > > If I change its permissions to 644 the error message goes.
> >
> > For some reason, the keytab cannot be read, yet the '600' 
> is correct,
> > who owns it ? it should be 'root' (user 0)
> >
> > Can we see your smb.conf and can you also tell us what OS 
> you are using ?
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list