[Samba] Samba and Kerberos

Mark Cogan arcturus1966 at gmail.com
Mon May 2 12:53:31 UTC 2022 

So let me go through what I did.
First, this is the same attempt to connect to a different server which
works just fine with Samba and Kerberos.
Second, it looks like the Kerberos ticket is provided, just not allowing
the connection.
Third, I created a local account and gave it Samba permission on thig.
This works as username / password so the syntax from Mac to Samba is okay.

At this point, I'm troubleshooting on the Samba side of things, trying to
see where / why despite getting a valid Kerberos ticket it still drops
through asking for username / password.

- M

On Wed, Apr 27, 2022 at 1:08 PM Mark Cogan <arcturus1966 at gmail.com> wrote:

> I've set this up in Linux 7 without issue, but we're running Rocky Linux 8
> and cannot seem to get our MACos system to authenticate with Kerberos.  It
> just drops into asking for a password.
> This is output from the log file when I attempt to connect:
>
> [2022/04/27 13:01:07.656506,  2]
> ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
>
>   Registered MSG_REQ_POOL_USAGE
>
> [2022/04/27 13:01:07.656634,  3] ../../lib/util/access.c:372(allow_access)
>
>   Allowed connection from 132.250.114.93 (132.250.114.93)
>
> [2022/04/27 13:01:07.807100,  2]
> ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
>
>   Registered MSG_REQ_POOL_USAGE
>
> [2022/04/27 13:01:07.807308,  3] ../../lib/util/access.c:372(allow_access)
>
>   Allowed connection from 132.250.114.93 (132.250.114.93)
>
>
> It looks like it's getting the connection.  Running klist shows the
> connection at least attempted.
>
> % klist
>
> Ticket cache: KCM:12566
>
> Default principal: cogan@<redacted>
>
>
> Valid starting       Expires              Service principal
>
> 04/27/2022 12:02:49  04/28/2022 12:02:49  krbtgt/<redacted>
>
> 04/27/2022 12:03:28  04/28/2022 12:02:49  cifs/sherlock-hemlock.<redacted>
>
> 04/27/2022 12:04:03  04/28/2022 12:02:49  host/thig.<redacted>
>
> 04/27/2022 12:04:58  04/28/2022 12:02:49  host/maple.<redacted>
>
> 04/27/2022 12:24:59  04/28/2022 12:02:49  host/kermit.<redacted>
>
> 04/27/2022 12:42:48  04/28/2022 12:02:49  cifs/thig.<redacted>
>
>
> THIG is the name of the system that is dropping down into password
> request.  Connection to sherlock-hemlock is working fine with the same
> configuration, but Linux 7 variant.
>
>
> It's like it sees the user, verifies the kerberos connection, but fails to
> read the ticket.
>
>
> - M
>

More information about the samba mailing list