... it shouldn't be so difficult, but maybe I didn't make my point clear, English is not my language.
On Tue, 2023-09-19 at 14:50 +0200, nimrod wrote: > Hi, > > I'm running an LXC container on a Debian 12 host. The container, > named "samba", aims to share a directory in an Active Directory > environment (functional level 2016). > > The container is joined to the domain using the realm command. Inside > the container I can login with any domain user without any problem. > > I can also access the share with a command like: > > $ smbclient //dl560/dati -U someuser -W BNCRM > > and issuing the right credentials when prompted. > > What I cannot absolutely get working is access the same share with > Kerberos: > > $ smbclient -k //dl560/dati > > The above command is run as an authenticated user, who can perfectly > well access another share on a virtual Debian 10 server. If I issue > the above command with the -d10 option I get the long output below. > > I've mapped 445 port this way: > > $ lxc config device add samba port445 proxy listen=tcp:0.0.0.0:445 > connect=tcp:10.65.65.147:445 > > Any suggestionwould be very appreciated. I can try to provide any > missing information.giuli > > Best regards. > > --------------------- > $ smbclient -k //dl560/dati > WARNING: The option -k|--kerberos is deprecated! > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > smb2: 10 > smb2_credits: 10 > dsdb_audit: 10 > dsdb_json_audit: 10 > dsdb_password_audit: 10 > dsdb_password_json_audit: 10 > dsdb_transaction_audit: 10 > dsdb_transaction_json_audit: 10 > dsdb_group_audit: 10 > dsdb_group_json_audit: 10 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > smb2: 10 > smb2_credits: 10 > dsdb_audit: 10 > dsdb_json_audit: 10 > dsdb_password_audit: 10 > dsdb_password_json_audit: 10 > dsdb_transaction_audit: 10 > dsdb_transaction_json_audit: 10 > dsdb_group_audit: 10 > dsdb_group_json_audit: 10 > Processing section "[global]" > doing parameter workgroup = WORKGROUP > doing parameter log file = /var/log/samba/log.%m > doing parameter max log size = 1000 > doing parameter logging = file > doing parameter panic action = /usr/share/samba/panic-action %d > doing parameter server role = standalone server > doing parameter obey pam restrictions = yes > doing parameter unix password sync = yes > doing parameter passwd program = /usr/bin/passwd %u > doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > doing parameter pam password change = yes > doing parameter map to guest = bad user > doing parameter usershare allow guests = yes > pm_process() returned Yes > lp_servicenumber: couldn't find homes > added interface lxcbr0 ip=10.0.3.1 bcast=10.0.3.255 > netmask=255.255.255.0 > added interface lxdbr0 ip=10.190.52.1 bcast=10.190.52.255 > netmask=255.255.255.0 > added interface eno1 ip=192.168.0.77 bcast=192.168.1.255 > netmask=255.255.254.0 > Client started (version 4.17.10-Debian). > Opening cache file at /run/samba/gencache.tdb > tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file > /run/samba/gencache.tdb: Permission denied > gencache_init: Opening user cache file > /home/someuser/.cache/samba/gencache.tdb. > sitename_fetch: No stored sitename for realm '' > internal_resolve_name: looking up dl560#20 (sitename (null)) > namecache_fetch: name dl560#20 found. > remove_duplicate_addrs2: looking for duplicate address/port pairs > Connecting to 192.168.0.5 at port 445 > socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, > TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, > IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, > SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, > SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, > TCP_USER_TIMEOUT=0 > session request ok > negotiated dialect[SMB3_11] against server[dl560] > cli_session_setup_spnego_send: Connect to dl560 as > someu...@bncrm.roma using SPNEGO > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'ncalrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5 > gensec_update_send: gse_krb5[0x56310b62e5d0]: subreq: 0x56310b629720 > gensec_update_send: spnego[0x56310b628330]: subreq: 0x56310b62d830 > gensec_update_done: gse_krb5[0x56310b62e5d0]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x56310b629720/../../source3/librpc/crypto/gse.c:895]: > state[2] error[0 (0x0)] state[struct gensec_gse_update_state > (0x56310b6298e0)] timer[(nil)] > finish[../../source3/librpc/crypto/gse.c:906] > gensec_update_done: spnego[0x56310b628330]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x56310b62d830/../../auth/gensec/spnego.c:1631]: state[2] > error[0 (0x0)] state[struct gensec_spnego_update_state > (0x56310b62d9f0)] timer[(nil)] > finish[../../auth/gensec/spnego.c:2116] > SPNEGO login failed: The attempted logon is invalid. This is either > due to a bad username or authentication information. > session setup failed: NT_STATUS_LOGON_FAILURE > >
