Web lists-archives.com

Re: [Samba] Samba authentication using non-AD Kerberos?




On 2017-04-16, 19:06, S P Arif Sahari Wibowo via samba wrote:
I was looking into samba wiki pages and cannot find documentation for this. Generally most the documentation pages either discussing samba as AD member or standalone.

So still looking at this.

So this is the state currently: kerberos setup (krb5.conf and keytab) is working in the server, I can do kinit properly. But setting of Samba still not working. Here is what I have in /etc/smb.conf:

[global]
        workgroup = MYREALM
        server string = UATest Samba Server Version %v
        netbios name = myserver
        log file = /var/log/samba/log.%m
        max log size = 50
        security = ads
        realm = MYREALM.CA
        password server = mykerberos.myrealm.ca
        kerberos method = system keytab
        log level = 3 passdb:5 auth:10

        load printers = no
        cups options = raw
        printing = bsd
[tmp]
        comment = Temporary Stuff
        path = /tmp
        public = yes
        writable = yes
        printable = no


When I try to connect locally:

# kinit mykerbuser
Password for mykerbuser@xxxxxxxxxx:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mykerbuser@xxxxxxxxxx

Valid starting     Expires            Service principal
20/04/17 07:24:13  21/04/17 08:24:10  krbtgt/MYREALM.CA@xxxxxxxxxx
# smbclient -k -U mykerbuser -L localhost
session setup failed: NT_STATUS_IO_TIMEOUT


If I do tcpdump on the Kerberos server, I see this output repeated:

07:18:55.708609 mykerberos.myrealm.ca > 172.1.1.111: icmp: mykerberos.myrealm.ca udp port netbios-ns unreachable
07:18:56.709751 172.1.1.111.34265 > mykerberos.myrealm.ca.netbios-ns: udp 50 (DF)

--
   ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
  /___  /___/ /___/ /___      http://www.arifsaha.com/
 ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba