https://bugs.kde.org/show_bug.cgi?id=494981
Rowland Penny <rpe...@samba.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rpe...@samba.org
--- Comment #13 from Rowland Penny <rpe...@samba.org> ---
I know what is going on here and it isn't a bug.
>From Samba 4.21.0 security was increased, requiring that the kerberos ticket is
owned by the Principal, this probably means that the computer must be domain
joined and a domain user logged in.
What is happening now:
In the following scenario, the Samba server (what dolphin is connecting to) is
called 'workstation' and is joined to an AD domain which has the workgroup name
'SAMDOM'.
There is a domain user called 'fred' who has a shared home directory on
'workstation'.
The client is a non domain joined computer with the default workgroup of
'WORKGROUP'.
The local user is called 'george' (it could also be called 'fred', but it will
never be the same user as the domain user 'fred').
if you install krb5-user on the client and configure /etc/krb5.conf correctly,
you can run 'kinit fred' and get a kerberos ticket in /tmp. The problem is that
while the Principal in the ticket will be the domain 'SAMDOM' user 'fred' but
the ticket will belong to the local user 'george', who is in the workgroup
'WORKGROUP'.
If you set up debugging correctly, amid the output you will find these two
lines.
cli_session_setup_spnego_send: Connect to workstation as george@WORKGROUP using
SPNEGO
gensec_gse_client_start: Not using kerberos to cifs/workstation as
WORKGROUP\george: NT_STATUS_INVALID_PARAMETER
It is trying to use what appears to be a valid kerberos ticket, but is
announcing itself as 'george' from 'WORKGROUP', Samba will now not allow this,
for one thing, there will never be a 'cifs/workstation' SPN.
Because kerberos fails, it drops to NTLM and you get prompted for a username &
password.
If you correctly domain join the computer and log in as 'SAMDOM\fred', it will
work again
If you examine the kerberos ticket
Ticket cache: FILE:/tmp/krb5cc_11104
Default principal: f...@samdom.example.com
Valid starting Expires Service principal
11/03/25 14:48:37 12/03/25 00:48:37
krbtgt/samdom.example....@samdom.example.com
renew until 12/03/25 14:48:37
11/03/25 14:48:37 12/03/25 00:48:37 WORKSTATION$@SAMDOM.EXAMPLE.COM
renew until 12/03/25 14:48:37
You can see that the Principal is 'fred', the ticket name ends with the Unix ID
for 'fred' and if you run 'ls -l /tmp/krb5cc_11104', you will find that the
owner is 'fred' and only 'fred' can read and write to the ticket.
Hopes this helps
--
You are receiving this mail because:
You are watching all bug changes.
