[Samba] making smbclient work with a DFS setup where mount.cifs does work / disabling krb5 for testing?

Dr. Thomas Orgis thomas.orgis at uni-hamburg.de
Thu Jan 13 13:44:41 UTC 2022

Am Thu, 13 Jan 2022 13:04:09 +0100
schrieb "Dr. Thomas Orgis via samba" <samba at lists.samba.org>:

> OK, I'll try a current samba codebase first, possibly disabling
> Kerberos to mirror what mount.cifs does. Or … can someone confirm what
> mount.cifs actually does? Is it possibly also doing Kerberos behind the
> scenes?

Ah, thanks a lot for the pointer to --use-kerberos with newer samba!

Things work nicely with a fresh smbclient and

	smbclient  --use-kerberos=off -U user at domain.suffix //ad.domain.suffix/data

so that it can be concluded that the handling of Kerberos in the DFS is
at fault. It happily uses NTLMSSP to authenticate, which is fine by me.
So I just need to roll out custom builds of smbclient to my users that
offer the switch (or even default the switch to off).

But considering the line

cli_session_creds_prepare_krb5: Successfully authenticated as user at domain.suffix (USER at DOMAIN.SUFFIX) to access ad.domain.suffix using Kerberos

with following failures to actually connect, do you think that this
points to a bug in samba, or rather to a bug in the DFS setup? Since
things work for the Windows clients in the domains, one could assume
that it means that the non-standard client is at fault, by default:-/

Alrighty then,


Dr. Thomas Orgis
HPC @ Universität Hamburg

More information about the samba mailing list