I've found a decent workaround for this issue. I set a public IP for the container and put it in the DNS with hostname "samba".
Et voilà: $ smbclient //samba/dati -k WARNING: The option -k|--kerberos is deprecated! Try "help" to get a list of possible commands. smb: \> The share is also perfectly accessible from Windows and Linux machines in the same Active Directory domain without prompting for credentials, provided that the user has logged in the machine with domain credentials. That's exactly what I need. Assigning a public IP to an LXD container is a bit tricky, because you need to set up a specific profile, removing the default profile from the container and assign this new profile to it. But it works, that's enough for me. Hope this could help someone else. On Tue, 2023-09-19 at 14:50 +0200, nimrod wrote: > Hi, > > I'm running an LXC container on a Debian 12 host. The container, > named "samba", aims to share a directory in an Active Directory > environment (functional level 2016). > > The container is joined to the domain using the realm command. Inside > the container I can login with any domain user without any problem. > > I can also access the share with a command like: > > $ smbclient //dl560/dati -U someuser -W BNCRM > > and issuing the right credentials when prompted. > > What I cannot absolutely get working is access the same share with > Kerberos: > > $ smbclient -k //dl560/dati > > The above command is run as an authenticated user, who can perfectly > well access another share on a virtual Debian 10 server. If I issue > the above command with the -d10 option I get the long output below. > > I've mapped 445 port this way: > > $ lxc config device add samba port445 proxy listen=tcp:0.0.0.0:445 > connect=tcp:10.65.65.147:445 > > Any suggestionwould be very appreciated. I can try to provide any > missing information.giuli > > Best regards. > > --------------------- > $ smbclient -k //dl560/dati > WARNING: The option -k|--kerberos is deprecated! > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > smb2: 10 > smb2_credits: 10 > dsdb_audit: 10 > dsdb_json_audit: 10 > dsdb_password_audit: 10 > dsdb_password_json_audit: 10 > dsdb_transaction_audit: 10 > dsdb_transaction_json_audit: 10 > dsdb_group_audit: 10 > dsdb_group_json_audit: 10 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > smb2: 10 > smb2_credits: 10 > dsdb_audit: 10 > dsdb_json_audit: 10 > dsdb_password_audit: 10 > dsdb_password_json_audit: 10 > dsdb_transaction_audit: 10 > dsdb_transaction_json_audit: 10 > dsdb_group_audit: 10 > dsdb_group_json_audit: 10 > Processing section "[global]" > doing parameter workgroup = WORKGROUP > doing parameter log file = /var/log/samba/log.%m > doing parameter max log size = 1000 > doing parameter logging = file > doing parameter panic action = /usr/share/samba/panic-action %d > doing parameter server role = standalone server > doing parameter obey pam restrictions = yes > doing parameter unix password sync = yes > doing parameter passwd program = /usr/bin/passwd %u > doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > doing parameter pam password change = yes > doing parameter map to guest = bad user > doing parameter usershare allow guests = yes > pm_process() returned Yes > lp_servicenumber: couldn't find homes > added interface lxcbr0 ip=10.0.3.1 bcast=10.0.3.255 > netmask=255.255.255.0 > added interface lxdbr0 ip=10.190.52.1 bcast=10.190.52.255 > netmask=255.255.255.0 > added interface eno1 ip=192.168.0.77 bcast=192.168.1.255 > netmask=255.255.254.0 > Client started (version 4.17.10-Debian). > Opening cache file at /run/samba/gencache.tdb > tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file > /run/samba/gencache.tdb: Permission denied > gencache_init: Opening user cache file > /home/someuser/.cache/samba/gencache.tdb. > sitename_fetch: No stored sitename for realm '' > internal_resolve_name: looking up dl560#20 (sitename (null)) > namecache_fetch: name dl560#20 found. > remove_duplicate_addrs2: looking for duplicate address/port pairs > Connecting to 192.168.0.5 at port 445 > socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, > TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, > IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, > SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, > SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, > TCP_USER_TIMEOUT=0 > session request ok > negotiated dialect[SMB3_11] against server[dl560] > cli_session_setup_spnego_send: Connect to dl560 as > someu...@bncrm.roma using SPNEGO > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'ncalrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5 > gensec_update_send: gse_krb5[0x56310b62e5d0]: subreq: 0x56310b629720 > gensec_update_send: spnego[0x56310b628330]: subreq: 0x56310b62d830 > gensec_update_done: gse_krb5[0x56310b62e5d0]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x56310b629720/../../source3/librpc/crypto/gse.c:895]: > state[2] error[0 (0x0)] state[struct gensec_gse_update_state > (0x56310b6298e0)] timer[(nil)] > finish[../../source3/librpc/crypto/gse.c:906] > gensec_update_done: spnego[0x56310b628330]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x56310b62d830/../../auth/gensec/spnego.c:1631]: state[2] > error[0 (0x0)] state[struct gensec_spnego_update_state > (0x56310b62d9f0)] timer[(nil)] > finish[../../auth/gensec/spnego.c:2116] > SPNEGO login failed: The attempted logon is invalid. This is either > due to a bad username or authentication information. > session setup failed: NT_STATUS_LOGON_FAILURE > >
