[Samba] Samba 4.2.15 and MIT Kerberos External Authentication
igor noredinoski
igor.noredinoski at gmail.com
Tue Apr 8 22:24:57 UTC 2025
Hello, I have been trying to get Samba 4.21.5 setup to use an external MIT
kerberos authentication system on Debian 12. I realize this feature is
still experimental, but I just wanted to confirm if I am missing a critical
detail as it seems to be correctly installed except that it's not passing
the credentials from the windows client correctly. I
I have Samba complied as per the doc with SAMBA_USES_MITKDC. And it's
installed in /use/loca/samba/*
I have configured my default realm as DEPT.LOCAL and the external realm is
COMPANY.COM
I have setup a samba usermap and created a local samba user named
foo at DEPT.LOCAL which has an account with password foo at COMPANY.COM
My user.map is as per below.
foo = foo at COMPANY.COM
What settings are needed for the Windows/Mac client to login with user foo,
and have their credential checked against @COMPANY.COM and then allowed to
authenticate into @DEPT.LOCAL.. We don't have any special security
requirements the than the user account needs to already exist on in samba
and we don't want to store their password but have it reside at @
COMPANY.COM.
I tested krb5 and am able to get kerberos tickets from command line via
kinit.
Is there extra customization needed in /usr/local/samba/private/kdc.conf or
in /etc/pam.d/?
Apr 08 16:50:50 dc1 krb5kdc[4450](info): authsam_account_ok: Checking SMB
password for user foo@@DEPT.LOCAL
Apr 08 16:50:50 dc1 krb5kdc[4450](info): logon_hours_ok: No hours
restrictions for user foo@@DEPT.LOCAL
Apr 08 16:50:50 dc1 krb5kdc[4450](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) x.x.x.x: NEEDED_PREAUTH:
foo\@DEPT.LOCAL at DEPT.LOCAL for krbtgt/DEPT.LOCAL at DEPT.LOCAL, Additional
pre-authentication required
Apr 08 16:50:50 dc1 krb5kdc[4450](info): closing down fd 19
Apr 08 16:50:50 dc1 krb5kdc[4450](info): authsam_account_ok: Checking SMB
password for user foo@@DEPT.LOCAL
Apr 08 16:50:50 dc1 krb5kdc[4450](info): logon_hours_ok: No hours
restrictions for user foo@@DEPT.LOCAL
Apr 08 16:50:50 dc1 krb5kdc[4450](info): preauth (encrypted_timestamp)
verify failure: Preauthentication failed
Apr 08 16:50:50 dc1 krb5kdc[4450](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) x.x.x.x: PREAUTH_FAILED:
foo\@DEPT.LOCAL at DEPT.LOCAL for krbtgt/DEPT.LOCAL at DEPT.LOCAL,
Preauthentication failed
More information about the samba
mailing list