[prev in list] [next in list] [prev in thread] [next in thread]
List: kerberos
Subject: Re: keytabs basics linux <=> AD ?
From: Brandon Allbery <ballbery () sinenomine ! net>
Date: 2016-06-10 21:06:43
Message-ID: 2CD29825-0BD8-478A-9373-FF4962309585 () sinenomine ! net
[Download RAW message or body]
Kerberos picks a realm based on the hostname. When you use the \
swir.private.ceb.private.dom hostname, it infers the realm PRIVATE.CEB.PRIVATE.DOM \
from your [domain_realm] mapping; but Samba is not using that realm for \
authentication and AD doesn't know about that realm.
In general, trying to mix realms like this --- especially when the machine is both a \
KDC for one realm and, for SMB, a member of a different realm --- is a recipe for \
trouble. Your best bet would probably be a wrapper for the SMB client utilities that \
points them to a Samba-specific krb5.conf (via KRB5_CONFIG environment variable) that \
knows to use the AD realm information instead.
On 6/7/16, 09:01, "kerberos-bounces@mit.edu on behalf of lejeczek" \
<kerberos-bounces@mit.edu on behalf of peljasz@yahoo.co.uk> wrote:
$ smbclient -L swir -U me@CEB.PRIVATE.DOM -k
all works, clients sees local samba's shares, when I do:
$ smbclient -L swir.private.ceb.private.dom -U
pe243@CEB.PRIVATE.DOM -k
gss_init_sec_context failed with [Unspecified GSS failure.
Minor code may provide more information: Server
cifs/swir.private.ceb.private.dom@PRIVATE.CEB.PRIVATE.DOM
not found in Kerberos database]
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic