Samba+Kerberos inside LXC container...
Hi,
I'm running an LXC container on a Debian 12 host. The container, named "samba", aims to share a directory in an Active Directory environment (functional level 2016).
The container is joined to the domain using the realm command. Inside the container I can login with any domain user without any problem.
I can also access the share with a command like:
$ smbclient //dl560/dati -U someuser -W BNCRM
and issuing the right credentials when prompted.
What I cannot absolutely get working is access the same share with Kerberos:
$ smbclient -k //dl560/dati
The above command is run as an authenticated user, who can perfectly well access another share on a virtual Debian 10 server. If I issue the above command with the -d10 option I get the long output below.
I've mapped 445 port this way:
$ lxc config device add samba port445 proxy listen=tcp:0.0.0.0:445 connect=tcp:10.65.65.147:445
Any suggestionwould be very appreciated. I can try to provide any missing information.giuli
Best regards.
---------------------
$ smbclient -k //dl560/dati
WARNING: The option -k|--kerberos is deprecated!
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = "" %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface lxcbr0 ip=10.0.3.1 bcast=10.0.3.255 netmask=255.255.255.0
added interface lxdbr0 ip=10.190.52.1 bcast=10.190.52.255 netmask=255.255.255.0
added interface eno1 ip=192.168.0.77 bcast=192.168.1.255 netmask=255.255.254.0
Client started (version 4.17.10-Debian).
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied
gencache_init: Opening user cache file /home/someuser/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up dl560#20 (sitename (null))
namecache_fetch: name dl560#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 192.168.0.5 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[dl560]
cli_session_setup_spnego_send: Connect to dl560 as someuser
@BNCRM.ROMA using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x56310b62e5d0]: subreq: 0x56310b629720
gensec_update_send: spnego[0x56310b628330]: subreq: 0x56310b62d830
gensec_update_done: gse_krb5[0x56310b62e5d0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x56310b629720/../../source3/librpc/crypto/gse.c:895]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x56310b6298e0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:906]
gensec_update_done: spnego[0x56310b628330]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x56310b62d830/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x56310b62d9f0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE
Reply to: