Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba Authentication With Kerberos
891 views
Skip to first unread message
Fabian von Romberg
Jan 27, 2013, 12:20:03 PM1/27/13
to
Hi All,
Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
The command I execute is:
smbclient -L localhost -k
The error message from Samba is:
using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Any help will be appreciated.
Thanks and regards,
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
The command I execute is:
smbclient -L localhost -k
The error message from Samba is:
using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Any help will be appreciated.
Thanks and regards,
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
David Salib, Mr
Jan 28, 2013, 9:40:01 AM1/28/13
to
Thank you, this is a Samba4 host as an AD DC.
-----Original Message-----
From: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] On Behalf Of Andrew Bartlett
Sent: January-28-13 9:32 AM
To: Fabian von Romberg
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Samba Authentication With Kerberos
On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
> Hi All,
>
> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain?
> The command I execute is:
>
> smbclient -L localhost -k
>
> The error message from Samba is:
>
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
> text): Decrypt integrity check failed for checksum type
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
smbclient should never do kerberos to "localhost" because we can never know which "localhost" that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-----Original Message-----
From: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] On Behalf Of Andrew Bartlett
Sent: January-28-13 9:32 AM
To: Fabian von Romberg
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Samba Authentication With Kerberos
On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
> Hi All,
>
> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
> The command I execute is:
>
> smbclient -L localhost -k
>
> The error message from Samba is:
>
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
> text): Decrypt integrity check failed for checksum type
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Andrew Bartlett
Jan 28, 2013, 9:40:01 AM1/28/13
to
On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
> Hi All,
>
> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
>
> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
To be clear, is this Samba 4.0 as an AD DC, or as a member server in
another AD domain?
another AD domain?
> The command I execute is:
>
> smbclient -L localhost -k
>
> The error message from Samba is:
>
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>
> smbclient -L localhost -k
>
> The error message from Samba is:
>
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
smbclient should never do kerberos to "localhost" because we can never
know which "localhost" that is. If you have somehow registered a
'localhost' as a servicePrincipalName, then this is likely the cause of
the issue. (This error indicates that the key you got from the KDC is
not the key that the server has in it's secrets database/keytab.)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
know which "localhost" that is. If you have somehow registered a
'localhost' as a servicePrincipalName, then this is likely the cause of
the issue. (This error indicates that the key you got from the KDC is
not the key that the server has in it's secrets database/keytab.)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
David Salib, Mr
Jan 28, 2013, 9:50:02 AM1/28/13
to
Disregard, that, sorry.
-----Original Message-----
From: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] On Behalf Of David Salib, Mr
Sent: January-28-13 9:38 AM
To: Andrew Bartlett; Fabian von Romberg
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Samba Authentication With Kerberos
Thank you, this is a Samba4 host as an AD DC.
-----Original Message-----
From: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] On Behalf Of Andrew Bartlett
Sent: January-28-13 9:32 AM
To: Fabian von Romberg
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Samba Authentication With Kerberos
-----Original Message-----
From: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] On Behalf Of David Salib, Mr
Sent: January-28-13 9:38 AM
To: Andrew Bartlett; Fabian von Romberg
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Samba Authentication With Kerberos
Thank you, this is a Samba4 host as an AD DC.
-----Original Message-----
From: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] On Behalf Of Andrew Bartlett
Sent: January-28-13 9:32 AM
To: Fabian von Romberg
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Samba Authentication With Kerberos
Fabian von Romberg
Jan 28, 2013, 12:30:02 PM1/28/13
to
Hi Andrew,
it is Samba 4 and the server role is active directory domain controller.
Thanks and regards,
Fabian
On 28/01/2013 9:32, Andrew Bartlett wrote:
> On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
>> Hi All,
>>
>> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
>
> To be clear, is this Samba 4.0 as an AD DC, or as a member server in
> another AD domain?
>
>> The command I execute is:
>>
>> smbclient -L localhost -k
>>
>> The error message from Samba is:
>>
>> using SPNEGO
>> Selected protocol [8][NT LANMAN 1.0]
>> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>
> smbclient should never do kerberos to "localhost" because we can never
> know which "localhost" that is. If you have somehow registered a
> 'localhost' as a servicePrincipalName, then this is likely the cause of
> the issue. (This error indicates that the key you got from the KDC is
> not the key that the server has in it's secrets database/keytab.)
>
> Andrew Bartlett
>
--
it is Samba 4 and the server role is active directory domain controller.
Thanks and regards,
Fabian
On 28/01/2013 9:32, Andrew Bartlett wrote:
> On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
>> Hi All,
>>
>> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
>
> To be clear, is this Samba 4.0 as an AD DC, or as a member server in
> another AD domain?
>
>> The command I execute is:
>>
>> smbclient -L localhost -k
>>
>> The error message from Samba is:
>>
>> using SPNEGO
>> Selected protocol [8][NT LANMAN 1.0]
>> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>
> smbclient should never do kerberos to "localhost" because we can never
> know which "localhost" that is. If you have somehow registered a
> 'localhost' as a servicePrincipalName, then this is likely the cause of
> the issue. (This error indicates that the key you got from the KDC is
> not the key that the server has in it's secrets database/keytab.)
>
> Andrew Bartlett
>
--
Fabian von Romberg
Jan 31, 2013, 12:50:02 AM1/31/13
to
Hi Andrew,
it is Samba 4 and the server role is active directory domain controller.
Thanks and regards,
Fabian
On 28/01/2013 9:32, Andrew Bartlett wrote:
it is Samba 4 and the server role is active directory domain controller.
Thanks and regards,
Fabian
On 28/01/2013 9:32, Andrew Bartlett wrote:
> On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
>> Hi All,
>>
>> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
>
> To be clear, is this Samba 4.0 as an AD DC, or as a member server in
> another AD domain?
>
>> The command I execute is:
>>
>> smbclient -L localhost -k
>>
>> The error message from Samba is:
>>
>> using SPNEGO
>> Selected protocol [8][NT LANMAN 1.0]
>> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>
> smbclient should never do kerberos to "localhost" because we can never
> know which "localhost" that is. If you have somehow registered a
> 'localhost' as a servicePrincipalName, then this is likely the cause of
> the issue. (This error indicates that the key you got from the KDC is
> not the key that the server has in it's secrets database/keytab.)
>
> Andrew Bartlett
>
--
>> Hi All,
>>
>> Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error.
>
> To be clear, is this Samba 4.0 as an AD DC, or as a member server in
> another AD domain?
>
>> The command I execute is:
>>
>> smbclient -L localhost -k
>>
>> The error message from Samba is:
>>
>> using SPNEGO
>> Selected protocol [8][NT LANMAN 1.0]
>> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>
> smbclient should never do kerberos to "localhost" because we can never
> know which "localhost" that is. If you have somehow registered a
> 'localhost' as a servicePrincipalName, then this is likely the cause of
> the issue. (This error indicates that the key you got from the KDC is
> not the key that the server has in it's secrets database/keytab.)
>
> Andrew Bartlett
>
--
0 new messages