[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Robert Schetterer
rs at sys4.de
Fri Apr 14 06:17:48 UTC 2023
Am 14.04.23 um 00:55 schrieb Daniel Lakeland via samba:
> Ok after installing libpam-winbind etc I had someone try to connect from
> a MacOS and they got:
>
>
> [2023/04/13 15:50:50.002773, 1]
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
> auth3_generate_session_info_pac: Unexpected PAC for
> [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
> [2023/04/13 15:50:50.002891, 3]
> ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_BAD_TOKEN_TYPE] || at
> ../../source3/smbd/smb2_sesssetup.c:147
> [2023/04/13 15:50:59.914944, 3]
> ../../source3/smbd/server_exit.c:229(exit_server_common)
> Server exit (NT_STATUS_END_OF_FILE)
>
> So it looks like her mac tried to use her Kerberos identity but the
> Samba daemon didn't like that because "in standalone mode"
>
> the samba settings during this test were:
>
>
> security = user
> realm = OURREALM.REALM
> kerberos method = system keytab
>
> server role = standalone server
>
>
>
Speculation check your kerberos setup
/etc/krb5.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac
while windows server had an update a few months ago
redhat had a warning
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index
when it comes to shares with cifs mostly its broken in the kernel
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the samba
mailing list