Kerberos picks a realm based on the hostname. When you use the swir.private.ceb.private.dom hostname, it infers the realm PRIVATE.CEB.PRIVATE.DOM from your [domain_realm] mapping; but Samba is not using that realm for authentication and AD doesn’t know about that realm.
In general, trying to mix realms like this --- especially when the machine is both a KDC for one realm and, for SMB, a member of a different realm --- is a recipe for trouble. Your best bet would probably be a wrapper for the SMB client utilities that points them to a Samba-specific krb5.conf (via KRB5_CONFIG environment variable) that knows to use the AD realm information instead. On 6/7/16, 09:01, "[email protected] on behalf of lejeczek" <[email protected] on behalf of [email protected]> wrote: $ smbclient -L swir -U [email protected] -k all works, clients sees local samba's shares, when I do: $ smbclient -L swir.private.ceb.private.dom -U [email protected] -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/[email protected] not found in Kerberos database] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
