[Samba] GSSAPI authentication issue with samba as AD DC.
Andrew Bartlett
abartlet at samba.org
Sun May 17 04:38:17 UTC 2020
On Sun, 2020-05-17 at 09:09 +0900, Hiroo Ono (小野寛生) via samba wrote:
> Hello,
>
> I am running samba 4.11.8 as Active Directory DC and a member server.
>
> I wanted to authenticate cyrus-imapd by GSSAPI, and found this
> mail
> https://lists.samba.org/archive/samba-technical/2013-April/091429.html
>
> I tried to run the cyrus-imap server on a member server, which has
> successfuly 'net ads join'ed and authenticate user with winbindd
> without problems.
> I followed the method written in the above mail, but the samba DC
> (KDC?)
> does not respond to TGS request.
>
> I created a user and an SPN as in the mail above,
>
> # samba-tool user create --random-password imap-nowhere
> # samba-tool spn add
> imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET imap-nowhere
Don't use the @REALM part. An SPN in Samba doesn't have the realm.
> The authentication step from member to DC seems OK.
> But, DC returns:
>
> KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
>
> where valid TGS-REP is expected.
Yeah, that will be because it is looking for it without the realm.
A patch to the client tool to reject this would be a very good idea.
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list