[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Daniel Lakeland
dlakelan at street-artists.org
Sun Apr 16 23:51:32 UTC 2023
On 4/13/23 12:28, Daniel Lakeland via samba wrote:
Hi all, for those who are interested in this issue, it appears that this
may have changed very recently.
On my home server which is running samba 4.16.0+dfsg-7 I am able to
connect with smbclient as follows:
smbclient --use-kerberos=required "//localserver.lan/dlakelan"
However, at the remote site where we are running 4.17.7+dfsg-1 after
dealing with some issues regarding firewalls, I tried to connect using:
smbclient --use-kerberos=required --user="dlakelan at REMOTE.REALM"
//remote.host.name/dlakelan
I get the result:
session setup failed: NT_STATUS_BAD_TOKEN_TYPE
and the remote log says:
[2023/04/16 16:38:22.349790, 1]
../../source3/librpc/crypto/gse_krb5.c:185(fill_mem_keytab_from_secrets)
fill_mem_keytab_from_secrets:
secrets_fetch_or_upgrade_domain_info(REMOTE.REALM) -
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2023/04/16 16:38:22.349811, 3]
../../source3/librpc/crypto/gse_krb5.c:582(gse_krb5_get_server_keytab)
../../source3/librpc/crypto/gse_krb5.c:582: Warning! Unable to set
mem keytab from secrets!
[2023/04/16 16:38:22.441568, 1]
../../source3/librpc/crypto/gse_krb5.c:185(fill_mem_keytab_from_secrets)
fill_mem_keytab_from_secrets:
secrets_fetch_or_upgrade_domain_info(REMOTE.REALM) -
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2023/04/16 16:38:22.441631, 3]
../../source3/librpc/crypto/gse_krb5.c:582(gse_krb5_get_server_keytab)
../../source3/librpc/crypto/gse_krb5.c:582: Warning! Unable to set
mem keytab from secrets!
[2023/04/16 16:38:22.443158, 1]
../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Unexpected PAC for
[dlakelan at REMOTE.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
[2023/04/16 16:38:22.443233, 3]
../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_BAD_TOKEN_TYPE] || at
../../source3/smbd/smb2_sesssetup.c:147
[2023/04/16 16:38:22.467480, 3]
../../source3/smbd/server_exit.c:229(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)
Both sites are running:
server role = standalone server
and have a relevant kerberos realm (it's different realms but both are
working fine in general).
Did something happen between 4.16.0 and 4.17.7 in which samba would
refuse to do anything with a kerberos ticket when in standalone mode?
More information about the samba
mailing list