[Samba] Kerberos Authentication Problem with MacOS

Stefan Schäfer ml at fsproductions.de
Tue May 31 15:18:04 UTC 2022 

Hi List,

my problem is still unsolved. Here some more informations:

If i try to get a kerberos ticket on macos with kinit, it works. klist 
-l shows the ticket.

If I then try to connect to my SMB-shares, macos don't ask for username 
and password anymore - the ticket is used, but the result is the same:

[2022/05/31 16:49:43.157223,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Probing for AS-REQ
[2022/05/31 16:49:43.157253,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Probing for TGS-REQ
[2022/05/31 16:49:43.157787,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Not a FAST request
[2022/05/31 16:49:43.157820,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ administrator at GALERIE-NET.LOC from 
ipv4:172.18.4.4:49760 for krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC [forwarded]
[2022/05/31 16:49:43.161507,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: heim_audit_vaddreason(): adding reason Request to forward 
non-forwardable ticket
[2022/05/31 16:49:43.161535,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Failed building TGS-REP to ipv4:172.18.4.4:49760
[2022/05/31 16:49:43.161550,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: tgs-req: sending error: -1765328371 to client
[2022/05/31 16:49:43.161558,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Making non-FAST KRB-ERROR
[2022/05/31 16:49:43.161607,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.004393
[2022/05/31 16:49:43.161618,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ ERR_BADOPTION ipv4:172.18.4.4:49760 
administrator at GALERIE-NET.LOC krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC 
elapsed=0.004393 reason=Request to forward non-forwardable ticket
[2022/05/31 16:49:43.161977,  3] 
../../source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'

It might be possible that this problem is caused by an macos update from 
april 2021:

https://discussions-cn-prz.apple.com/en/thread/252803969

I've no idea how to deal with this....

Stefan



Am 17.05.22 um 08:54 schrieb Stefan Schäfer via samba:
> Hi List,
> 
> we've just build Samba (version 4.16.1+git.235.f435da606f7) with 
> internal Heimdal Kerberos (version 8pre) for use as AD-DC.
> 
> With Windows clients (joined to domain) everything works fine. Trying to 
> access the samba server (which act as DC and fileserver) with MacOS, 
> authentication fails with some Kerberos problems. Log file attached. 
> MaOS only tells that something went wrong. No further informations (I'm 
> not a MacOS crack)
> 
> Disabling Fast-Support, as mentioned in samba changelog (kdc enable fast 
> = no) didn't change anything.
> 
> I've not tried to join the domain with this MacOS client yet.
> 
> With older Samba versions we had no problems with MacOS.
> 
> Any ideas, what went wrong?
> 
> Stefan
> 
> 

-- 
www.invis-server.org

Stefan Schäfer
Vogelsbergstr. 118
63679 Schotten

More information about the samba mailing list