Samba4 and Kerberos

Good day.

Tell me why when trying to connect to Windows share on network through GUI applications, for example, Krusader, Files
is still required password?

Test Kerberos through kinit, klist - all good.
 
No, I think it's fine here. It sounds like an issue with those applications (Krusader), I'm actually not sure if KDE itself (Krusader is built as a KDE application) understands kerberos authentication. If kinit(1) and all work then it's not a kerberos issue or an issue with the network service.

There aren't a lot of users that have that combination, so it may not get a quick answer.
 
I decided to check it like this.

I went under my domain account in console to check the list Windows Share on network.

smbclient -L //servername/
Enter DOMAIN\USER's password:
session setup failed: NT_STATUS_ACCESS_DENIED

listing of active shares will be displayed only after entering the password.

But there shouldn't be a request to enter a password.
 
You'll need to add -k to enable kerberos authentication.

Code:
       -k|--kerberos
           Try to authenticate with kerberos. Only useful in an Active
           Directory environment.
 
smbclient -k -L //servername/
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
 
klist
klist: No ticket file: /tmp/krb5cc_29194

And if you check first through kinit with password input , it klist shows the issued TGT.
 
Good day.

Yes, if you first execute the command kinit and get it Kerberos ticket, for example,
Krusader it stops asking username and password when connected to Windows share
and you can get the list contacts at Evolution Address book from Active Directory.

But how to get Kerberos ticket in the login process in the window LightDM?

Or complete registration not local database tdbsam on computer with FreeBSD but database Active Directory?
 
But how to get Kerberos ticket in the login process in the window LightDM?
PAM. You will need to enable logging in with the AD account. Once that's done you're granted a TGT automatically when you login on the machine.
 
Just how to set it up is PAM AD not entirely clear.
You can at least dotted line indicate the sequence of actions for PAM AD.
Or give a link on which it can be configured.
 
I don't like spoon feeding, you won't learn anything from that. Case in point:

 
In general, everything cleared up a bit.
I get kerberos tickets through pam_winbind for lightdm and GUI applications.
 
Back
Top