External Storage for smb/cifs with kerberos

Hello,

I want to connect my Nextcloud 19.0.5 with a samba share using Kerberos SSO .
Apache (web.example.com) and Samba (srv.example.com) are running in two Debian 10 Proxmox Container.
There is no AD involved. Just openLDAP, Kerberos and SSSD.

I have also a Ubuntu VM on Proxmox for testing.

On th VM I can login to nextcloud with kerberos ticket.
And I can access the share
smbclient //srv.example.com/media/ -U test05 -k

But when I try to configure the storage in the nextcloud GUI it doesn’t work.
I get the red icon

Can anybody help me to find a solution.

Here is the nextcloud log:

[no app in context] Error: Icewind\SMB\Exception\ForbiddenException: Invalid request for / (ForbiddenException) at <>

  1. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 66
    Icewind\SMB\Exception\Exception::fromMap({1: "Icewind\SM … "}, 1, “/”)
  2. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 78
    Icewind\SMB\Native\NativeState->handleError("/")
  3. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 294
    Icewind\SMB\Native\NativeState->testResult("*** sensitive parameter replaced ***", “smb://srv.example.com/nextcloud/”)
  4. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeShare.php line 306
    Icewind\SMB\Native\NativeState->getxattr(“smb://srv.example.com/nextcloud/”, “system.dos_attr.*”)
  5. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeFileInfo.php line 64
    Icewind\SMB\Native\NativeShare->getAttribute("/", “system.dos_attr.*”)
  6. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeFileInfo.php line 83
    Icewind\SMB\Native\NativeFileInfo->stat()
  7. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeShare.php line 113
    Icewind\SMB\Native\NativeFileInfo->getSize()
  8. /var/www/html/nextcloud/apps/files_external/lib/Lib/Storage/SMB.php line 188
    Icewind\SMB\Native\NativeShare->stat("/")
  9. /var/www/html/nextcloud/apps/files_external/lib/Lib/Storage/SMB.php line 336
    OCA\Files_External\Lib\Storage\SMB->getFileInfo("/")
  10. /var/www/html/nextcloud/lib/private/Files/Storage/Common.php line 459
    OCA\Files_External\Lib\Storage\SMB->stat("")
  11. /var/www/html/nextcloud/apps/files_external/lib/Lib/Storage/SMB.php line 703
    OC\Files\Storage\Common->test()
  12. /var/www/html/nextcloud/apps/files_external/lib/config.php line 262
    OCA\Files_External\Lib\Storage\SMB->test("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  13. /var/www/html/nextcloud/apps/files_external/lib/Controller/StoragesController.php line 254
    OC_Mount_Config::getBackendStatus("*** sensitive parameters replaced ***")
  14. /var/www/html/nextcloud/apps/files_external/lib/Controller/StoragesController.php line 329
    OCA\Files_External\Controller\StoragesController->updateStorageStatus("*** sensitive parameters replaced ***")
  15. /var/www/html/nextcloud/apps/files_external/lib/Controller/UserStoragesController.php line 108
    OCA\Files_External\Controller\StoragesController->show(“2”, “*** sensitive parameter replaced ***”)
  16. /var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 170
    OCA\Files_External\Controller\UserStoragesController->show(“2”, “*** sensitive parameter replaced ***”)
  17. /var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 100
    OC\AppFramework\Http\Dispatcher->executeController(OCA\Files_Extern … {}, “show”)
  18. /var/www/html/nextcloud/lib/private/AppFramework/App.php line 137
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Files_Extern … {}, “show”)
  19. /var/www/html/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
    OC\AppFramework\App::main(“OCA\Files_Exte … r”, “show”, OC\AppFramework\ … {}, {id: “2”,_route: … "})
  20. <>
    OC\AppFramework\Routing\RouteActionHandler->__invoke({id: “2”,_route: … "})
  21. /var/www/html/nextcloud/lib/private/Route/Router.php line 297
    call_user_func(OC\AppFramework\ … {}, {id: “2”,_route: … "})
  22. /var/www/html/nextcloud/lib/base.php line 1010
    OC\Route\Router->match("/apps/files_external/userstorages/2")
  23. /var/www/html/nextcloud/index.php line 37
    OC::handleRequest()

GET /apps/files_external/userstorages/2?testOnly=true
from 192.168.1.130 by test05 at 2020-12-12T18:11:14+00:00

And the Samba log:

Starting GENSEC mechanism spnego
[2020/12/12 18:21:53.228715, 5, pid=13755, effective(0, 0), real(0, 0), class=auth] …/auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2020/12/12 18:21:53.229040, 10, pid=13755, effective(0, 0), real(0, 0), class=auth] …/auth/gensec/gensec.c:440(gensec_update_send)
gensec_update_send: spnego[0x5558a141ef80]: subreq: 0x5558a142f210
[2020/12/12 18:21:53.229087, 10, pid=13755, effective(0, 0), real(0, 0), class=auth] …/auth/gensec/gensec.c:498(gensec_update_done)
gensec_update_done: spnego[0x5558a141ef80]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5558a142f210/…/auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x5558a142f3c0)] timer[(nil)] finish[…/auth/gensec/spnego.c:2070]
[2020/12/12 18:21:53.327878, 5, pid=13755, effective(0, 0), real(0, 0), class=auth] …/source3/auth/auth.c:536(make_auth3_context_for_ntlm)
Making default auth method list for server role = ‘standalone server’, encrypt passwords = yes
[2020/12/12 18:21:53.327979, 5, pid=13755, effective(0, 0), real(0, 0), class=auth] …/source3/auth/auth.c:412(load_auth_module)
load_auth_module: Attempting to find an auth method to match anonymous
[2020/12/12 18:21:53.328045, 5, pid=13755, effective(0, 0), real(0, 0), class=auth] …/source3/auth/auth.c:437(load_auth_module)
load_auth_module: auth method anonymous has a valid init
[2020/12/12 18:21:53.328136, 5, pid=13755, effective(0, 0), real(0, 0), class=auth] …/source3/auth/auth.c:412(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2020/12/12 18:21:53.328234, 5, pid=13755, effective(0, 0), real(0, 0), class=auth] …/source3/auth/auth.c:437(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2020/12/12 18:21:53.328346, 5, pid=13755, effective(0, 0), real(0, 0), class=auth] …/auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC mechanism spnego
[2020/12/12 18:21:53.328449, 5, pid=13755, effective(0, 0), real(0, 0), class=auth] …/auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2020/12/12 18:21:53.328829, 10, pid=13755, effective(0, 0), real(0, 0), class=auth] …/auth/gensec/gensec.c:440(gensec_update_send)
gensec_update_send: spnego[0x5558a1439ca0]: subreq: 0x5558a142f210
[2020/12/12 18:21:53.328915, 10, pid=13755, effective(0, 0), real(0, 0), class=auth] …/auth/gensec/gensec.c:498(gensec_update_done)
gensec_update_done: spnego[0x5558a1439ca0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5558a142f210/…/auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x5558a142f3c0)] timer[(nil)] finish[…/auth/gensec/spnego.c:2070]

If I purge the package php-smbclient to have only the package smbclient I get this error in the Nextcloud log:
OCP\Files\StorageAuthException: Storage unauthorized. Unknown error (Unable to initialize messaging context gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT)