Bug 11591 - smbclient cant connect to remote server using kerberos.
smbclient cant connect to remote server using kerberos.
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.1.12
x86 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-08 21:40 UTC by marcio
Modified: 2018-10-26 06:07 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description marcio 2015-11-08 21:40:45 UTC
-I have a trouble when I try connect to my samba server 4.1 using Ubuntu 14.04 client (using the same steps on Fedora 22 client I can connect fine).

-klist and kinit works fine in both systems;
-kerberos version 5 1.12;
-using the "smbclient -K //server/share -d3" I got (snipped):

Doing kerberos session setup
krb5_init_context failed (invalid argument)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: invalid argument
SPNEGO login failed: Undetermined error
session setup failed: NT_STATUS_UNSUCCESSFUL

Here my krb5.conf:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
default_realm = OTHERNAME
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes

[realms]
OTHERNAME = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
.othername = OTHERNAME
othername = OTHERNAME

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

I cant identify if I have missing or incorrect parameters in any .conf file. I appreciate any help about this issue.
Thank you
Comment 1 amitkuma 2018-10-26 06:07:05 UTC
(In reply to marcio from comment #0)
Hey Marcio,
Is problem fixed with youngest smbclient?
samba-4.7.1 does not incorporate the function cli_session_setup_kerberos_send()

samba-3.6.23
static struct tevent_req *cli_session_setup_kerberos_send(){
        /*
         * Ok, this is cheating: spnego_gen_krb5_negTokenInit can block if
         * we have to acquire a ticket. To be fixed later :-)
         */
        rc = spnego_gen_krb5_negTokenInit(state, principal, 0, &state->negTokenTarg,
                                     &state->session_key_krb5, 0, NULL);
        if (rc) {
                DEBUG(1, ("cli_session_setup_kerberos: "
                          "spnego_gen_krb5_negTokenInit failed: %s\n",
                          error_message(rc)));
                state->ads_status = ADS_ERROR_KRB5(rc);
                tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
                return tevent_req_post(req, ev);
        }
}

There have been changes in SPNego protocol handling with krb5-1.15.

My constraint is I don't have Ubuntu box, mea culpa can not repro.