Bug 11591 - smbclient cant connect to remote server using kerberos.
Summary: smbclient cant connect to remote server using kerberos.
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.12
Hardware: x86 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-11-08 21:40 UTC by marcio
Modified: 2020-12-23 10:55 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description marcio 2015-11-08 21:40:45 UTC
-I have a trouble when I try connect to my samba server 4.1 using Ubuntu 14.04 client (using the same steps on Fedora 22 client I can connect fine).

-klist and kinit works fine in both systems;
-kerberos version 5 1.12;
-using the "smbclient -K //server/share -d3" I got (snipped):

Doing kerberos session setup
krb5_init_context failed (invalid argument)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: invalid argument
SPNEGO login failed: Undetermined error
session setup failed: NT_STATUS_UNSUCCESSFUL

Here my krb5.conf:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

default_realm = OTHERNAME
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes

pkinit_anchors = FILE:/etc/ipa/ca.crt

.othername = OTHERNAME
othername = OTHERNAME

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

I cant identify if I have missing or incorrect parameters in any .conf file. I appreciate any help about this issue.
Thank you
Comment 1 Amit Kumar 2018-10-26 06:07:05 UTC
(In reply to marcio from comment #0)
Hey Marcio,
Is problem fixed with youngest smbclient?
samba-4.7.1 does not incorporate the function cli_session_setup_kerberos_send()

static struct tevent_req *cli_session_setup_kerberos_send(){
         * Ok, this is cheating: spnego_gen_krb5_negTokenInit can block if
         * we have to acquire a ticket. To be fixed later :-)
        rc = spnego_gen_krb5_negTokenInit(state, principal, 0, &state->negTokenTarg,
                                     &state->session_key_krb5, 0, NULL);
        if (rc) {
                DEBUG(1, ("cli_session_setup_kerberos: "
                          "spnego_gen_krb5_negTokenInit failed: %s\n",
                state->ads_status = ADS_ERROR_KRB5(rc);
                tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
                return tevent_req_post(req, ev);

There have been changes in SPNego protocol handling with krb5-1.15.

My constraint is I don't have Ubuntu box, mea culpa can not repro.
Comment 2 Rowland Penny 2020-12-23 10:55:51 UTC
This isn't a Samba bug, it is caused by having an 'includedir' line in krb5.conf, Heimdal doesn't know anything about this.