[Samba] GSSAPI authentication issue with samba as AD DC.

Hiroo Ono (小野寛生) hiroo.ono+freebsd at gmail.com
Sun May 17 00:09:13 UTC 2020


I am running samba 4.11.8 as Active Directory DC and a member server.

I wanted to authenticate cyrus-imapd by GSSAPI, and found this

I tried to run the cyrus-imap server on a member server, which has
successfuly 'net ads join'ed and authenticate user with winbindd
without problems.
I followed the method written in the above mail, but the samba DC (KDC?)
does not respond to TGS request.

I created a user and an SPN as in the mail above,

# samba-tool user create --random-password imap-nowhere
# samba-tool spn add
imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET imap-nowhere

using samba-tool, I could verifiy the SPN exists.

# samba-tool spn list imap-nowhere

I generated  keytab on the domain member machine (which I want to make as an
imap server) as below:
# KRB5_KTNAME=/var/imap/krb5.keytab net ads keytab add imap -U administrator

This is from Samba Wikihttps://wiki.samba.org/index.php/Generating_Keytabs

Checking with ktutil, I verified that the key
imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET
was in the keytab.

# ktutil -k /var/imap/krb5.keytab list

I verified that cyrus-imap reads the keytab, and accept GSSAPI authentication.
But, when I try to authenticate with GSSAPI, it fails.

I captured the Kerberos5 communication between member and DC with wireshark.
Part of the dump of TGS-REQ packets from member to DC was:

* req-body
  * sname
      name-type: KRB5-NT-PRINCIPAL
        * sname-string
           SNameString: imap
           SNameString: nowhere.oikumene.ukehi.net

The authentication step from member to DC seems OK.
But, DC returns:


where valid TGS-REP is expected.
Here, I am stacked. What can I do to make DC return TGS-REP and make
GSSAPI authentication succeed?

More information about the samba mailing list