Hi, I'm running an LXC container on a Debian 12 host. The container, named "samba", aims to share a directory in an Active Directory environment (functional level 2016).
The container is joined to the domain using the realm command. Inside the container I can login with any domain user without any problem. I can also access the share with a command like: $ smbclient //dl560/dati -U someuser -W BNCRM and issuing the right credentials when prompted. What I cannot absolutely get working is access the same share with Kerberos: $ smbclient -k //dl560/dati The above command is run as an authenticated user, who can perfectly well access another share on a virtual Debian 10 server. If I issue the above command with the -d10 option I get the long output below. I've mapped 445 port this way: $ lxc config device add samba port445 proxy listen=tcp:0.0.0.0:445 connect=tcp:10.65.65.147:445 Any suggestionwould be very appreciated. I can try to provide any missing information.giuli Best regards. --------------------- $ smbclient -k //dl560/dati WARNING: The option -k|--kerberos is deprecated! INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 Processing section "[global]" doing parameter workgroup = WORKGROUP doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter logging = file doing parameter panic action = /usr/share/samba/panic-action %d doing parameter server role = standalone server doing parameter obey pam restrictions = yes doing parameter unix password sync = yes doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter pam password change = yes doing parameter map to guest = bad user doing parameter usershare allow guests = yes pm_process() returned Yes lp_servicenumber: couldn't find homes added interface lxcbr0 ip=10.0.3.1 bcast=10.0.3.255 netmask=255.255.255.0 added interface lxdbr0 ip=10.190.52.1 bcast=10.190.52.255 netmask=255.255.255.0 added interface eno1 ip=192.168.0.77 bcast=192.168.1.255 netmask=255.255.254.0 Client started (version 4.17.10-Debian). Opening cache file at /run/samba/gencache.tdb tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied gencache_init: Opening user cache file /home/someuser/.cache/samba/gencache.tdb. sitename_fetch: No stored sitename for realm '' internal_resolve_name: looking up dl560#20 (sitename (null)) namecache_fetch: name dl560#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs Connecting to 192.168.0.5 at port 445 socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0 session request ok negotiated dialect[SMB3_11] against server[dl560] cli_session_setup_spnego_send: Connect to dl560 as someu...@bncrm.roma using SPNEGO GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'ncalrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gensec_update_send: gse_krb5[0x56310b62e5d0]: subreq: 0x56310b629720 gensec_update_send: spnego[0x56310b628330]: subreq: 0x56310b62d830 gensec_update_done: gse_krb5[0x56310b62e5d0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x56310b629720/../../source3/librpc/crypto/gse.c:895]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x56310b6298e0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:906] gensec_update_done: spnego[0x56310b628330]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x56310b62d830/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x56310b62d9f0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information. session setup failed: NT_STATUS_LOGON_FAILURE
