Kerberos picks a realm based on the hostname. When you use the swir.private.ceb.private.dom hostname, it infers the realm PRIVATE.CEB.PRIVATE.DOM from your [domain_realm] mapping; but Samba is not using that realm for authentication and AD doesn’t know about that realm.
In general, trying to mix realms like this --- especially when the machine is both a KDC for one realm and, for SMB, a member of a different realm --- is a recipe for trouble. Your best bet would probably be a wrapper for the SMB client utilities that points them to a Samba-specific krb5.conf (via KRB5_CONFIG environment variable) that knows to use the AD realm information instead. On 6/7/16, 09:01, "kerberos-boun...@mit.edu on behalf of lejeczek" <kerberos-boun...@mit.edu on behalf of pelj...@yahoo.co.uk> wrote: $ smbclient -L swir -U m...@ceb.private.dom -k all works, clients sees local samba's shares, when I do: $ smbclient -L swir.private.ceb.private.dom -U pe...@ceb.private.dom -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private.ceb.private....@private.ceb.private.dom not found in Kerberos database] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
