[Samba] making smbclient work with a DFS setup where mount.cifs does work / disabling krb5 for testing?
Dr. Thomas Orgis
thomas.orgis at uni-hamburg.de
Thu Jan 13 13:44:41 UTC 2022
Am Thu, 13 Jan 2022 13:04:09 +0100
schrieb "Dr. Thomas Orgis via samba" <samba at lists.samba.org>:
> OK, I'll try a current samba codebase first, possibly disabling
> Kerberos to mirror what mount.cifs does. Or … can someone confirm what
> mount.cifs actually does? Is it possibly also doing Kerberos behind the
> scenes?
Ah, thanks a lot for the pointer to --use-kerberos with newer samba!
Things work nicely with a fresh smbclient and
smbclient --use-kerberos=off -U user at domain.suffix //ad.domain.suffix/data
so that it can be concluded that the handling of Kerberos in the DFS is
at fault. It happily uses NTLMSSP to authenticate, which is fine by me.
So I just need to roll out custom builds of smbclient to my users that
offer the switch (or even default the switch to off).
But considering the line
cli_session_creds_prepare_krb5: Successfully authenticated as user at domain.suffix (USER at DOMAIN.SUFFIX) to access ad.domain.suffix using Kerberos
with following failures to actually connect, do you think that this
points to a bug in samba, or rather to a bug in the DFS setup? Since
things work for the Windows clients in the domains, one could assume
that it means that the non-standard client is at fault, by default:-/
Alrighty then,
Thomas
--
Dr. Thomas Orgis
HPC @ Universität Hamburg
More information about the samba
mailing list