[37517] in Kerberos
Re: keytabs basics linux <=> AD ?
daemon@ATHENA.MIT.EDU (Brandon Allbery)
Fri Jun 10 17:07:04 2016
From: Brandon Allbery <ballbery@sinenomine.net>
To: lejeczek <peljasz@yahoo.co.uk>, "kerberos@mit.edu" <kerberos@mit.edu>
Date: Fri, 10 Jun 2016 21:06:43 +0000
Message-ID: <2CD29825-0BD8-478A-9373-FF4962309585@sinenomine.net>
In-Reply-To: <8ae57557-9289-78c0-8979-8c14d421a3a4@yahoo.co.uk>
Content-Language: en-US
Content-ID: <20F53809968EB94B944EA2EFF59A5D14@mex09.mlsrvr.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Kerberos picks a realm based on the hostname. When you use the swir.private.ceb.private.dom hostname, it infers the realm PRIVATE.CEB.PRIVATE.DOM from your [domain_realm] mapping; but Samba is not using that realm for authentication and AD doesn’t know about that realm.
In general, trying to mix realms like this --- especially when the machine is both a KDC for one realm and, for SMB, a member of a different realm --- is a recipe for trouble. Your best bet would probably be a wrapper for the SMB client utilities that points them to a Samba-specific krb5.conf (via KRB5_CONFIG environment variable) that knows to use the AD realm information instead.
On 6/7/16, 09:01, "kerberos-bounces@mit.edu on behalf of lejeczek" <kerberos-bounces@mit.edu on behalf of peljasz@yahoo.co.uk> wrote:
$ smbclient -L swir -U me@CEB.PRIVATE.DOM -k
all works, clients sees local samba's shares, when I do:
$ smbclient -L swir.private.ceb.private.dom -U
pe243@CEB.PRIVATE.DOM -k
gss_init_sec_context failed with [Unspecified GSS failure.
Minor code may provide more information: Server
cifs/swir.private.ceb.private.dom@PRIVATE.CEB.PRIVATE.DOM
not found in Kerberos database]
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
