Samba + Heimdal Issue.
Mohan Narayanaswamy
mohann at silver-peak.com
Mon Jun 28 11:13:35 MDT 2010
Hello Samba Team,
I am trying to use smbclient -k ( Kerberos tickets got through MS
constrained delegation ) to connect to Win2003 server.
I could connect successfully when I get tickets for the user directly .
###########
# WORKING #
###########
/usr/heimdal/bin/kinit domain_user1 at XXXX.COM
/usr/heimdal/bin/kgetcred CIFS/dev03-w2k3a02.xxxx.com at XXXX.COM
/usr/local/samba/bin/smbclient -k \\\\dev03-w2k3a02.xxxx.com\\share
<file:///\\dev03-w2k3a02.xxxx.com\share> ( WORKS)
Doing kerberos session setup
ads_krb5_mk_req: Advancing clock by 1974 seconds to cope with clock skew
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0]
expiration Wed, 16 Jun 2010 19:26:38 PDT
ads_krb5_mk_req: Ticket (dev03-w2k3a02$@XXXX.COM) in ccache
(FILE:/tmp/krb5cc_0) is valid until: (Wed, 16 Jun 2010 19:26:38 PDT -
1276741598)
Got KRB5 session key of length 16
But when I use constrained delegation, Smbclient does not seem to locate
the credentials.
###############
# NOT WORKING #
###############
/usr/heimdal/bin/kinit -c /etc/icache.krb5 --forwardable --no-afslog
--password-file=foopassword proxy_user at XXXX.COM
/usr/heimdal/bin/kgetcred -c /etc/icache.krb5
--out-cache=/etc/ocache.krb5 --forward
--impersonate=domain_user1 at XXXX.COM proxy_user at XXXX.COM
/usr/heimdal/bin/kgetcred -c /etc/icache.krb5 --out-cache=/tmp/krb5cc_0
--delegation-credential-cache=/etc/ocache.krb5
CIFS/dev03-w2k3a02.xxxx.com at XXXX.COM
/usr/local/samba/bin/smbclient -k \\\\dev03-w2k3a02.xxxx.com\\share
<file:///\\dev03-w2k3a02.xxxx.com\share> ( DOES NOT WORK)
Doing kerberos session setup
ads_krb5_mk_req: krb5_get_credentials failed for dev03-w2k3a02$@XXXX.COM
(Matching credential not found)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Matching
credential not found
SPNEGO login failed: Matching credential not found
session setup failed: SUCCESS - 0
Any help would be much appreciated.
Regards,
Mohan
More information about the samba-technical
mailing list