Smbclient – Accessing Windows Fileshare from Linux

I have spent my entire day to troubleshoot the issue with my Python script. I have a python script using smbclient to open a share file in windows using this library –

Everything seems working well, i have tested a couple of servers and they worked perfectly. So i move the script to production , one of my client use it and she reported that that there was an error. I tried on my dev machine, i have the same issue – the only difference is that the server is different. So my script only works with some servers.

I spent hours and hours to debug the code, run tcpdump to see the traffic , the error i got was timeout when it does the authentication . When i enable debug this is what i can see:

Negotiated dialect: (785) SMB_3_1_1
Connection require signing: True
Initialising session with username:\myaccount
Decoding SPNEGO token containing supported auth mechanisms
Sending SMB2_SESSION_SETUP request message
Receiving SMB2_SESSION_SETUP response message
More processing is required for SMB2_SESSION_SETUP
Sending SMB2_SESSION_SETUP request message
Receiving SMB2_SESSION_SETUP response message
Disconnecting transport connection

I finally found that this server use Kerberos to authenticate and i have to install kerberos library

sudo yes | apt-get install krb5-user -y
apt-get install -y libkrb5-dev
pip3 install smbprotocol[kerberos]

After installing these packages, you need to modify file /etc/krb5.conf to match with your environment setting

	default_realm =
# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
 	proxiable = true
  # this line is very important
# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#	default_tgs_enctypes = des3-hmac-sha1
#	default_tkt_enctypes = des3-hmac-sha1
#	permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
	fcc-mit-ticketflags = true

[realms] = {
                kdc =
                kdc =
                kdc =
                admin_server =
                default_domain =


Leave a Reply

Your email address will not be published. Required fields are marked *