hi users a novice here hoping to grasp fundamentals soon :) I have a samba+sssd as a client to an AD - I have all the keytabs for a host(I think) but I noticed weird(to me at least) smbclient behavior. when I do: $ smbclient -L swir -U m...@ceb.private.dom -k all works, clients sees local samba's shares, when I do: $ smbclient -L swir.private.ceb.private.dom -U pe...@ceb.private.dom -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private.ceb.private....@private.ceb.private.dom not found in Kerberos database] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR
and to verify: $ klist -k /etc/krb5.swir.keytab -e Keytab name: FILE:/etc/krb5.swir.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 host/swir.private.ceb.private....@ceb.private.dom (des-cbc-crc) 4 host/swir.private.ceb.private....@ceb.private.dom (des-cbc-md5) 4 host/swir.private.ceb.private....@ceb.private.dom (arcfour-hmac) 4 host/swir.private.ceb.private....@ceb.private.dom (aes256-cts-hmac-sha1-96) 4 host/swir.private.ceb.private....@ceb.private.dom (aes128-cts-hmac-sha1-96) 4 CIFS/swir.private.ceb.private....@ceb.private.dom (des-cbc-crc) 4 CIFS/swir.private.ceb.private....@ceb.private.dom (des-cbc-md5) 4 CIFS/swir.private.ceb.private....@ceb.private.dom (arcfour-hmac) 4 CIFS/swir.private.ceb.private....@ceb.private.dom (aes256-cts-hmac-sha1-96) 4 CIFS/swir.private.ceb.private....@ceb.private.dom (aes128-cts-hmac-sha1-96) and above keytab file samba uses in its config, and that keytab was generated on AD DS, What you can notice when I smbclient with FQDN(it's all one local host, smbclient is trying itself) is this: gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private.ceb.private....@private.ceb.private.dom not found in Kerberos @PRIVATE.CEB.PRIVATE.DOM # this part, I thought it should be AD domain, like: @CEB.PRIVATE.DOM why smbclient uses it's own realm? I should also say that, this linux is a client of two realms: first it's a freeIPA server that runs locally on this box and second, its local samba is a client of AD(win2k14) And my krb5.conf looks like this: -------------------------- [libdefaults] default_realm = PRIVATE.CEB.PRIVATE.DOM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] PRIVATE.CEB.PRIVATE.DOM = { kdc = swir.private.ceb.private.dom:88 master_kdc = swir.private.ceb.private.dom:88 admin_server = swir.private.ceb.private.dom:749 default_domain = private.ceb.private.dom pkinit_anchors = FILE:/etc/ipa/ca.crt } CEB.PRIVATE.DOM = { kdc = win-srv.ceb.private.dom:88 domain_server = ccnr-winsrv1.ceb.private.dom:749 admin_server = ccnr-winsrv1.private.ceb.private.dom } [domain_realm] .private.ceb.private.dom = PRIVATE.CEB.PRIVATE.DOM private.ceb.private.dom = PRIVATE.CEB.PRIVATE.DOM ceb.private.dom = CEB.PRIVATE.DOM .ceb.private.dom = CEB.PRIVATE.DOM -------------------- so PRIVATE.CEB.PRIVATE.DOM is own local freeIPA domain and CEB.PRIVATE.DOM is AD domain Also you can see dns-wise it is like this: IPA server(samba) is: swir.private.ceb.private.dom and AD with it's server is: win-srv.ceb.private.dom there is something misconfigured or/and I am confusing fundamentals. What am I doing wrong? many thanks L. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos