[Samba] Samba and Kerberos
Mark Cogan
arcturus1966 at gmail.com
Mon May 2 12:53:31 UTC 2022
So let me go through what I did.
First, this is the same attempt to connect to a different server which
works just fine with Samba and Kerberos.
Second, it looks like the Kerberos ticket is provided, just not allowing
the connection.
Third, I created a local account and gave it Samba permission on thig.
This works as username / password so the syntax from Mac to Samba is okay.
At this point, I'm troubleshooting on the Samba side of things, trying to
see where / why despite getting a valid Kerberos ticket it still drops
through asking for username / password.
- M
On Wed, Apr 27, 2022 at 1:08 PM Mark Cogan <arcturus1966 at gmail.com> wrote:
> I've set this up in Linux 7 without issue, but we're running Rocky Linux 8
> and cannot seem to get our MACos system to authenticate with Kerberos. It
> just drops into asking for a password.
> This is output from the log file when I attempt to connect:
>
> [2022/04/27 13:01:07.656506, 2]
> ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
>
> Registered MSG_REQ_POOL_USAGE
>
> [2022/04/27 13:01:07.656634, 3] ../../lib/util/access.c:372(allow_access)
>
> Allowed connection from 132.250.114.93 (132.250.114.93)
>
> [2022/04/27 13:01:07.807100, 2]
> ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
>
> Registered MSG_REQ_POOL_USAGE
>
> [2022/04/27 13:01:07.807308, 3] ../../lib/util/access.c:372(allow_access)
>
> Allowed connection from 132.250.114.93 (132.250.114.93)
>
>
> It looks like it's getting the connection. Running klist shows the
> connection at least attempted.
>
> % klist
>
> Ticket cache: KCM:12566
>
> Default principal: cogan@<redacted>
>
>
> Valid starting Expires Service principal
>
> 04/27/2022 12:02:49 04/28/2022 12:02:49 krbtgt/<redacted>
>
> 04/27/2022 12:03:28 04/28/2022 12:02:49 cifs/sherlock-hemlock.<redacted>
>
> 04/27/2022 12:04:03 04/28/2022 12:02:49 host/thig.<redacted>
>
> 04/27/2022 12:04:58 04/28/2022 12:02:49 host/maple.<redacted>
>
> 04/27/2022 12:24:59 04/28/2022 12:02:49 host/kermit.<redacted>
>
> 04/27/2022 12:42:48 04/28/2022 12:02:49 cifs/thig.<redacted>
>
>
> THIG is the name of the system that is dropping down into password
> request. Connection to sherlock-hemlock is working fine with the same
> configuration, but Linux 7 variant.
>
>
> It's like it sees the user, verifies the kerberos connection, but fails to
> read the ticket.
>
>
> - M
>
More information about the samba
mailing list