Web lists-archives.com

[Samba] GSSAPIAuthentication needs krb5.keytabe on one config, not on another one

Hi, i'm using Samba 4.8.0 on one server, configured as an AD DC, and with
passwordless Putty from
joined Windows machines. Everything works fine, and it took me a lot of
searches and test/try to
make it that way.

Now, I'm trying to repeat the configuration on another server (both are
identical VMs) and I nearly
achieve the same goal, except for this : on the second setup, I have to
manually generate
/etc/krb5.keytab for the GSSApiAuthentication to work. This is annoying,
because I have to do this
for every user I add.
Alas, I don't remember all the tweaks I made on my first setup, and can't
figure out where the
difference is... The only thing I notice is samba version 4.8.0 on the
first machine, 4.8.1 on the
second one, but I don't think it comes from there...
I test with this kind of commands :

- kinit someuser@SAMDOM.INTRA (klist OK after this)
- `which sshd` -o "GSSApiAuthentication yes" -d -D -p 2222 (on 1st terminal)
- ssh -o  "GSSApiAuthentication yes" -vvv someuser@samdom.intra -p 2222 (on
2nd terminal)

whithout /etc/krb5.keytab, I have gss failure serverside, complaining about
"Key table entry not
found". With the keytab, everything is ok.
The exact same test on the first setup succeeds.
I've compared all files I could think of (/etc/krb5.conf,
/usr/local/samba/etc/smb.conf, /etc/nsswitch.conf)

Does anyone have an idea ?

Thanks !
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba