[Pkg-samba-maint] Bug#1116930: smbclient+kerberos regression after update from Debian 12

Sven Geggus sveb-debian at geggus.net
Tue Sep 30 16:50:10 BST 2025 

Package: smbclient
Version: 2:4.23.1+dfsg-1
Severity: normal

Hello,

after updating my Systems from Debian 12 to Debian 13 smbclient with
kerberos authentication does no longer work.

This is still true for Version 4.23.1 from testing which I also just tested on my VM.

Details:

In Debian 12 I can do the following:
~/ > smbclient --use-kerberos=required -N -L my-active-directory-controller

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remoteverwaltung
        C$              Disk      Standardfreigabe
        MYDFSname       Disk
        IPC$            IPC       Remote-IPC
        NETLOGON        Disk      Ressource für Anmeldeserver
        SYSVOL          Disk      Ressource für Anmeldeserver
SMB1 disabled -- no workgroup available

The machine had smbclient 4.17.12 and sssd 2.8.2 then.

After updating to Debian 13 I now have smbclient 4.22.4 and sssd 2.10.1.

Kerberos still works fine for NFS and Auth via SSH but smbclient no longer
works.

The above command now gives the following:
 ~/ > smbclient --use-kerberos=required -N -L my-active-directory-controller
gensec_gse_client_prepare_ccache: No password for user principal[XXXXXXX at XXXXXXXXXXXX]
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER

As klist shows there *is* a valid ticket cache:
 ~/ > klist
Ticket cache: FILE:/tmp/krb5cc_1163_UZJOxjjoWe
Default principal: XXXXXXX at XXXXXXXXXXXX

Valid starting     Expires            Service principal
09/30/25 17:35:20  10/01/25 03:00:29  krbtgt/XXXXXXXXXXXX at XXXXXXXXXXXX
        renew until 10/01/25 03:00:29



Running smbclient with -d 99 gives the following:

...
gensec_gse_client_prepare_ccache: Kerberos required username[XXXXXXX at XXXXXXXXXXXX]
gensec_gse_client_prepare_ccache: No password for user principal[XXXXXXX at XXXXXXXXXXXX]
Failed to start GENSEC client mech gse_krb5: NT_STATUS_WRONG_CREDENTIAL_HANDLE
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
...


/etc/samba/smb.conf and /etc/sssd/sssd.conf are unchanged.

Any Idea on how to debug this further?

Regards

Sven

More information about the Pkg-samba-maint mailing list