[Samba] GSSAPI authentication issue with samba as AD DC.

Andrew Bartlett abartlet at samba.org
Sun May 17 04:38:17 UTC 2020

On Sun, 2020-05-17 at 09:09 +0900, Hiroo Ono (小野寛生) via samba wrote:
> Hello,
> I am running samba 4.11.8 as Active Directory DC and a member server.
> I wanted to authenticate cyrus-imapd by GSSAPI, and found this
> mail
> https://lists.samba.org/archive/samba-technical/2013-April/091429.html
> I tried to run the cyrus-imap server on a member server, which has
> successfuly 'net ads join'ed and authenticate user with winbindd
> without problems.
> I followed the method written in the above mail, but the samba DC
> (KDC?)
> does not respond to TGS request.
> I created a user and an SPN as in the mail above,
> # samba-tool user create --random-password imap-nowhere
> # samba-tool spn add
> imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET imap-nowhere

Don't use the @REALM part.  An SPN in Samba doesn't have the realm.

> The authentication step from member to DC seems OK.
> But, DC returns:
> where valid TGS-REP is expected.

Yeah, that will be because it is looking for it without the realm.

A patch to the client tool to reject this would be a very good idea.

Andrew Bartlett
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list