I have spent my entire day to troubleshoot the issue with my Python script. I have a python script using smbclient to open a share file in windows using this library – https://pypi.org/project/smbprotocol/
Everything seems working well, i have tested a couple of servers and they worked perfectly. So i move the script to production , one of my client use it and she reported that that there was an error. I tried on my dev machine, i have the same issue – the only difference is that the server is different. So my script only works with some servers.
I spent hours and hours to debug the code, run tcpdump to see the traffic , the error i got was timeout when it does the authentication . When i enable debug this is what i can see:
Negotiated dialect: (785) SMB_3_1_1
Connection require signing: True
Initialising session with username: mydomain.org\myaccount
Decoding SPNEGO token containing supported auth mechanisms
Sending SMB2_SESSION_SETUP request message
Receiving SMB2_SESSION_SETUP response message
More processing is required for SMB2_SESSION_SETUP
Sending SMB2_SESSION_SETUP request message
Receiving SMB2_SESSION_SETUP response message
Disconnecting transport connection
I finally found that this server use Kerberos to authenticate and i have to install kerberos library
sudo yes | apt-get install krb5-user -y
apt-get install -y libkrb5-dev
pip3 install smbprotocol[kerberos]
After installing these packages, you need to modify file /etc/krb5.conf to match with your environment setting
[libdefaults]
default_realm = mydomain.mydomain.org
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_canonicalize_hostname=false
# this line is very important
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
mydomain.ad.mydomain.org = {
kdc = dc001.mydomain.ad.mydomain.org
kdc = dc001.mydomain.ad.mydomain.org
kdc = dc001.mydomain.ad.mydomain.org:88
admin_server = dc001.mydomain.ad.mydomain.org
default_domain = mydomain.org
}
[domain_realm]