ADS, Kerberos and LDAP are explicitly disabled for samba-libsmbclient port in /usr/ports/net/samba3/Makefile: .if defined(SAMBA_SUBPORT) .. CONFIGURE_ARGS+= --without-ldap CONFIGURE_ARGS+= --without-krb5 CONFIGURE_ARGS+= --without-ads That makes samba-libsmbclient port completely useless in ADS based Microsoft network: authentication fails when Konqueror (KDE) connects to any MSWindows host participating in ADS. When those lines changed to (ldap client is installed already) CONFIGURE_ARGS+= --with-ldap CONFIGURE_ARGS+= --with-krb5 CONFIGURE_ARGS+= --with-ads Konqueror works fine.
State Changed From-To: open->feedback Awaiting maintainers feedback
Hi, Dmitry! Indeed, Samba developers confirmed that now it's necessary to link with Kerberos to get ability to log into ADS domain. Last time I asked this in ML i was said no libraries are necessary. Can you, pleasae, try this set of options and tell me, did it help to you? CONFIGURE_ARGS+= --with-krb5 CONFIGURE_ARGS+= --withoout-ldap CONFIGURE_ARGS+= --without-ads Just to reduce number of dependencies :) With best regads, Timur Bakeyev
Hi, Timur I've tested this lib with Konqueror browser of KDE. It seems that KDE does not use Kerberos authentication when connecting to smb server: I've recompiled libsmbclient with those (--with-krb5 --without-ldap --without-ads) parameters using portupgrade -f samba-libsmbclient ( BTW, ldd shows that no kerberos was compiled in: ldd /usr/local/lib/libsmbclient.so /usr/local/lib/libsmbclient.so: libcrypt.so.3 => /lib/libcrypt.so.3 (0x282f1000) libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x2830a000) while with --with-krb5 --with-ldap --with-ads much more libraries are included: libcrypt.so.3 => /lib/libcrypt.so.3 (0x28310000) libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x28329000) libgssapi.so.8 => /usr/lib/libgssapi.so.8 (0x28416000) libkrb5.so.8 => /usr/lib/libkrb5.so.8 (0x28425000) libasn1.so.8 => /usr/lib/libasn1.so.8 (0x2845e000) libcrypto.so.4 => /lib/libcrypto.so.4 (0x28485000) libroken.so.8 => /usr/lib/libroken.so.8 (0x2858b000) libcom_err.so.3 => /usr/lib/libcom_err.so.3 (0x28598000) libldap-2.2.so.7 => /usr/local/lib/libldap-2.2.so.7 (0x2859a000) liblber-2.2.so.7 => /usr/local/lib/liblber-2.2.so.7 (0x285c8000) libssl.so.4 => /usr/lib/libssl.so.4 (0x285d5000) ) I've uncommented kerberos auth in /etc/pam.d/system auth sufficient pam_krb5.so no_warn try_first_pass and logged in using MS Windows Network password. klist showed correct credential values. smbclient successfully conected to windows server using -k option (Kerberos auth): ~[500]$ smbclient -k '\\server\c$' OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2] smb: \> But Konqueror, on connecting to windows server requested user and password and finished with no access error while I entered correct user/password. When compiled with --with-krb5 --with-ldap --with-ads options Konqueror also asks to user/password and successfully connects to server. Sincerely Yours Dmitry > Hi, Dmitry! > > Indeed, Samba developers confirmed that now it's necessary to link with > Kerberos to get ability to log into ADS domain. Last time I asked this > in ML i was said no libraries are necessary. > > Can you, pleasae, try this set of options and tell me, did it help to you? > > CONFIGURE_ARGS+= --with-krb5 > CONFIGURE_ARGS+= --withoout-ldap > CONFIGURE_ARGS+= --without-ads > > Just to reduce number of dependencies :) > > With best regads, > Timur Bakeyev
State Changed From-To: feedback->closed Maintainer submitted PR 93553 with a patch for this issue. I checked with him on IRC and he said this PR should be closed.