[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Rowland Penny rpenny at samba.org
Fri Jan 28 08:48:13 UTC 2022

On Fri, 2022-01-28 at 09:51 +0300, Alex wrote:
> > If it is of any help, I now have nslcd working on Debian 11 with
> > Samba
> > 4.15.4 , just have to wait until tomorrow to see if kstart renews
> > the
> > ticket.
> Thanks Rowland.
> My issue is that k5start isn't able to get even the 1st ticket. Do
> you use system's keytab or create a user keytab for this test case?
> Can you show what "net ads keytab list ..." outputs?

I didn't even try using k5start to get the initial ticket, but it is
working for myself on Debian 11 with Samba 4.15.4

adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt 
Ticket cache: FILE:/tmp/nslcd.tkt
Default principal: nslcd-ad at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
28/01/22 00:19:54  28/01/22 10:19:54  
28/01/22 01:17:01  28/01/22 10:19:54  
ldap/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM

As you can see the ticket was renewed at 00:19:54 this morning and if I
check, k5start is running.

adminuser at deb11:~$ ps ax | grep k5start
 149296 ?        Ss     0:00 /usr/bin/k5start -b -p
/var/run/nslcd/k5start_nslcd.pid -o nslcd -g nslcd -m 600 -f
/etc/krb5.nslcd.keytab -K 60 -u nslcd-ad -k /tmp/nslcd.tkt
 754183 pts/1    S+     0:00 grep k5start


More information about the samba mailing list