So debugging this with Wireshark showed that during the SPNEGO negotiation, server and client could not settle on a mutually supported authentication mechanism. The server was only offering NTLMSSP while the client offers MS KRB5/KRB5 (due to --use-kerberos=required).
The server needs to have "kerberos method" set to use the right keytab, for some reason "system keytab" does not work and I had to explicitly set kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab This allows SPNEGO negotiation to succeed but leads to the next error: [2023/09/26 15:21:29.755056, 5] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm) make_auth3_context_for_ntlm: Making default auth method list for server role = 'standalone server', encrypt passwords = yes [2023/09/26 15:21:29.755119, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend anonymous [2023/09/26 15:21:29.755141, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'anonymous' [2023/09/26 15:21:29.755154, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend sam [2023/09/26 15:21:29.755164, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'sam' [2023/09/26 15:21:29.755173, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend sam_ignoredomain [2023/09/26 15:21:29.755183, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'sam_ignoredomain' [2023/09/26 15:21:29.755191, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend sam_netlogon3 [2023/09/26 15:21:29.755201, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'sam_netlogon3' [2023/09/26 15:21:29.755210, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend winbind [2023/09/26 15:21:29.755219, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'winbind' [2023/09/26 15:21:29.755228, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend unix [2023/09/26 15:21:29.755237, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'unix' [2023/09/26 15:21:29.755246, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match anonymous [2023/09/26 15:21:29.755276, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method anonymous has a valid init [2023/09/26 15:21:29.755286, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_ignoredomain [2023/09/26 15:21:29.755296, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method sam_ignoredomain has a valid init [2023/09/26 15:21:29.757684, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'gssapi_spnego' registered [2023/09/26 15:21:29.757719, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'gssapi_krb5' registered [2023/09/26 15:21:29.757732, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2023/09/26 15:21:29.757744, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'spnego' registered [2023/09/26 15:21:29.757754, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'schannel' registered [2023/09/26 15:21:29.757764, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'ncalrpc_as_system' registered [2023/09/26 15:21:29.757774, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2023/09/26 15:21:29.757784, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'ntlmssp' registered [2023/09/26 15:21:29.757793, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'ntlmssp_resume_ccache' registered [2023/09/26 15:21:29.757803, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'http_basic' registered [2023/09/26 15:21:29.757813, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'http_ntlm' registered [2023/09/26 15:21:29.757822, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'http_negotiate' registered [2023/09/26 15:21:29.757835, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'krb5' registered [2023/09/26 15:21:29.757853, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2023/09/26 15:21:29.757980, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC mechanism spnego [2023/09/26 15:21:29.758031, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2023/09/26 15:21:29.767904, 5] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm) make_auth3_context_for_ntlm: Making default auth method list for server role = 'standalone server', encrypt passwords = yes [2023/09/26 15:21:29.767924, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match anonymous [2023/09/26 15:21:29.767931, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method anonymous has a valid init [2023/09/26 15:21:29.767936, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_ignoredomain [2023/09/26 15:21:29.767941, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method sam_ignoredomain has a valid init [2023/09/26 15:21:29.767971, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC mechanism spnego [2023/09/26 15:21:29.768004, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2023/09/26 15:21:29.768378, 1] ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac) auth3_generate_session_info_pac: Unexpected PAC for [atest@INTERN] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE This leads to a bug in Samba, based on false assumptions, which was introduced in 2021 and makes it impossible to use MIT Kerberos authentication with the standalone server role. There is a long thread on the Samba list starting at https://lists.samba.org/archive/samba/2023-April/244842.html about it, the actual cause is described by Andrew Bartlett from the Samba team: > So I knew this would happen, sorry about that. > > When we did the big 2021 security fixes, we strictly set a line between > 'AD has a PAC' and 'MIT Krb5 (traditional) does not'. > > This was meant to ensure that folks would not connect Samba as a > 'standalone' server in an AD domain, bypassing the security mitigation > we put in place against the 'dollar ticket attack' where users could > create an account called 'root$' but print it as 'root'. > > The problem is that subsequent to that, I saw that the MIT folks > decided to always issue a PAC, just without the LOGON_INFO > component. Samba doesn't do well with that, and a fix is needed both > in this code an in winbindd to change the test from 'has a PAC' to 'has a PAC with LOGON_INFO'. (see https://lists.samba.org/archive/samba/2023-April/244999.html) So if we don't want to set up a AD DC we will probably not be able to use Kerberos authentication with our current setup. -- Guido Berhoerster
