Samba4 and Kerberos

lucas1

Active Member

Reaction score: 2
Messages: 110

Good day.

Tell me why when trying to connect to Windows share on network through GUI applications, for example, Krusader, Files
is still required password?

Test Kerberos through kinit, klist - all good.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,331
Messages: 38,847

No, I think it's fine here. It sounds like an issue with those applications (Krusader), I'm actually not sure if KDE itself (Krusader is built as a KDE application) understands kerberos authentication. If kinit(1) and all work then it's not a kerberos issue or an issue with the network service.

There aren't a lot of users that have that combination, so it may not get a quick answer.
 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

I decided to check it like this.

I went under my domain account in console to check the list Windows Share on network.

smbclient -L //servername/
Enter DOMAIN\USER's password:
session setup failed: NT_STATUS_ACCESS_DENIED

listing of active shares will be displayed only after entering the password.

But there shouldn't be a request to enter a password.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,331
Messages: 38,847

You'll need to add -k to enable kerberos authentication.

Code:
       -k|--kerberos
           Try to authenticate with kerberos. Only useful in an Active
           Directory environment.
 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

smbclient -k -L //servername/
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,331
Messages: 38,847

Use the FQDN of the host.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,331
Messages: 38,847

Does klist show you have a valid TGT?
 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

klist
klist: No ticket file: /tmp/krb5cc_29194

And if you check first through kinit with password input , it klist shows the issued TGT.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,331
Messages: 38,847

And if you check first through kinit with password input , it klist shows the issued TGT.
You need that TGT in order for smbclient -k to work.
 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

Good day.

Yes, if you first execute the command kinit and get it Kerberos ticket, for example,
Krusader it stops asking username and password when connected to Windows share
and you can get the list contacts at Evolution Address book from Active Directory.

But how to get Kerberos ticket in the login process in the window LightDM?

Or complete registration not local database tdbsam on computer with FreeBSD but database Active Directory?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,331
Messages: 38,847

But how to get Kerberos ticket in the login process in the window LightDM?
PAM. You will need to enable logging in with the AD account. Once that's done you're granted a TGT automatically when you login on the machine.
 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

Just how to set it up is PAM AD not entirely clear.
You can at least dotted line indicate the sequence of actions for PAM AD.
Or give a link on which it can be configured.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,331
Messages: 38,847

I don't like spoon feeding, you won't learn anything from that. Case in point:

 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

In general, everything cleared up a bit.
I get kerberos tickets through pam_winbind for lightdm and GUI applications.
 
Top