There is a KDC in the network, but neither the client nor the server has entered the domain. Use the following smbclient command to connect to a NAS server. smbclient //vdi.crdc.com/netdisk -U tianjin.ssy.com/zhuxinang%<password> Normally this will try the gse_krb5 authentication mechanism first, and upon failure it will use the ntlmssp authentication mechanism. When trying the gse_krb5 authentication mechanism. Since the client has access to the KDC, cli_session_creds_prepare_krb5() can succeed. Since there is no service principal registered for the NAS in the KDC, gss_init_sec_context() in gse_get_client_auth_token() will fail. KDC returned KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN error. But the gss_min returned by gss_init_sec_context() is not KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, but other values. This causes gse_get_client_auth_token() to return NT_STATUS_LOGON_FAILURE instead of NT_STATUS_INVALID_PARAMETER. This in turn causes the entire authentication process to fail instead of trying the ntlmssp authentication mechanism. Other tests, Using samba-2:4.9.5 can successfully identify the error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN and connect successfully. I'm confused why samba-2:4.17.12 doesn't detect the error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN and causes the authentication flow to break.
Created attachment 18352 [details] samba-4.17.12 log (gvfs mount smb fail)
Created attachment 18353 [details] samba-4.17.12 tcpdump
Created attachment 18354 [details] samba-4.9.5 log (gvfs mount smb ok)
Created attachment 18355 [details] samba-4.9.5 tcpdump