[Samba] Kerberos Authentication Problem with MacOS
Stefan Schäfer
ml at fsproductions.de
Tue May 31 15:18:04 UTC 2022
Hi List,
my problem is still unsolved. Here some more informations:
If i try to get a kerberos ticket on macos with kinit, it works. klist
-l shows the ticket.
If I then try to connect to my SMB-shares, macos don't ask for username
and password anymore - the ticket is used, but the result is the same:
[2022/05/31 16:49:43.157223, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for AS-REQ
[2022/05/31 16:49:43.157253, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for TGS-REQ
[2022/05/31 16:49:43.157787, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Not a FAST request
[2022/05/31 16:49:43.157820, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ administrator at GALERIE-NET.LOC from
ipv4:172.18.4.4:49760 for krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC [forwarded]
[2022/05/31 16:49:43.161507, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddreason(): adding reason Request to forward
non-forwardable ticket
[2022/05/31 16:49:43.161535, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:172.18.4.4:49760
[2022/05/31 16:49:43.161550, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: tgs-req: sending error: -1765328371 to client
[2022/05/31 16:49:43.161558, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Making non-FAST KRB-ERROR
[2022/05/31 16:49:43.161607, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.004393
[2022/05/31 16:49:43.161618, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ ERR_BADOPTION ipv4:172.18.4.4:49760
administrator at GALERIE-NET.LOC krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC
elapsed=0.004393 reason=Request to forward non-forwardable ticket
[2022/05/31 16:49:43.161977, 3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
It might be possible that this problem is caused by an macos update from
april 2021:
https://discussions-cn-prz.apple.com/en/thread/252803969
I've no idea how to deal with this....
Stefan
Am 17.05.22 um 08:54 schrieb Stefan Schäfer via samba:
> Hi List,
>
> we've just build Samba (version 4.16.1+git.235.f435da606f7) with
> internal Heimdal Kerberos (version 8pre) for use as AD-DC.
>
> With Windows clients (joined to domain) everything works fine. Trying to
> access the samba server (which act as DC and fileserver) with MacOS,
> authentication fails with some Kerberos problems. Log file attached.
> MaOS only tells that something went wrong. No further informations (I'm
> not a MacOS crack)
>
> Disabling Fast-Support, as mentioned in samba changelog (kdc enable fast
> = no) didn't change anything.
>
> I've not tried to join the domain with this MacOS client yet.
>
> With older Samba versions we had no problems with MacOS.
>
> Any ideas, what went wrong?
>
> Stefan
>
>
--
www.invis-server.org
Stefan Schäfer
Vogelsbergstr. 118
63679 Schotten
More information about the samba
mailing list