Hi,@all,
For German, see belowInitial situation:- Client: Siduction Linux 2025.1, Plasma 6.5.x
- Client authenticates to the domain via SSSD
- Login is performed using a domain user
/etc/krb5.conf:[libdefaults]
default_realm = LAN.EXAMPLE.COM
dns_lookup_kdc = true
rdns = false
#udp_preference_limit = 1
forwardable = true
proxiable = true
ticket_lifetime = 24h
renew_lifetime = 7d
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[realms]
LAN.EXAMPLE.COM = {
admin_server = srv01.lan.example.com
default_domain = lan.example.com
}
[domain_realm]
.lan.example.com = LAN.EXAMPLE.COM
lan.example.com = LAN.EXAMPLE.COM/etc/sssd/sssd.conf:[sssd]
domains = lan.example.com
[domain/lan.example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = LAN.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
#ad_server = srv01.lan.example.com
ad_domain = lan.example.com
use_fully_qualified_names = False
ldap_id_mapping = False
access_provider = ad
ad_gpo_access_control = permissive
auth_provider = ad
chpass_provider = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
ldap_group_nesting_level = 2
enumerate = TrueExpectation:SMB access in Dolphin without an additional password prompt (Kerberos SSO)
Kerberos ticket is present:klist
Ticket cache: FILE:/tmp/krb5cc_2016_rBjlO1
Default principal: s.me@LAN.EXAMPLE.COM
Valid starting Expires Service principal
26/01/2026 11:38:35 26/01/2026 21:38:35 krbtgt/LAN.EXAMPLE.COM@LAN.EXAMPLE.COM
SMB with Kerberos works outside of Plasma (libsmbclient):smbclient -k -L srv01.lan.example.com
Sharename Type Comment
netlogon Disk Domain logon service
sysvol Disk
Bilder Disk
...→ No password prompt → Kerberos + Samba client OK
KIO-SMB plugin is present (Plasma 6 / KF6):find /usr/lib -name smb.so
/usr/lib/x86_64-linux-gnu/qt6/plugins/kf6/kio/smb.soKIO-SMB is correctly linked against Kerberos/GSSAPI:ldd /usr/lib/x86_64-linux-gnu/qt6/plugins/kf6/kio/smb.so | grep -E 'gssapi|krb5'
libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3
libauthkrb5-private-samba.so.0 => ...KIO-SMB Kerberos explicitly enabled (modern, Plasma 6):# ~/.config/kio_smbrc
[SMB]
UseKerberos=true→ Ignored.
Result:KIO-SMB (KF6 / Plasma 6.5.x) currently does not use an existing Kerberos ticket for non-interactive SSO.
Despite correct domain integration, a valid TGT, and a properly linked plugin, Dolphin always falls back to interactive authentication.
Have I overlooked something or made a mistake?
** German **Ausgangslage:- Client: Siduction Linux 2025.1, Plasma 6.5.x
- Client meldet sich per SSSD der Domäne an
- Login erfolgt mit Domänenbenutzer
/etc/krb5.conf:[libdefaults]
default_realm = LAN.EXAMPLE.COM
dns_lookup_kdc = true
rdns = false
#udp_preference_limit = 1
forwardable = true
proxiable = true
ticket_lifetime = 24h
renew_lifetime = 7d
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[realms]
LAN.EXAMPLE.COM = {
admin_server = srv01.lan.example.com
default_domain = lan.example.com
}
[domain_realm]
.lan.example.com = LAN.EXAMPLE.COM
lan.example.com = LAN.EXAMPLE.COM/etc/sssd/sssd.conf:[sssd]
domains = lan.example.com
[domain/lan.example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = LAN.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
#ad_server = srv01.lan.example.com
ad_domain = lan.example.com
use_fully_qualified_names = False
ldap_id_mapping = False
access_provider = ad
ad_gpo_access_control = permissive
auth_provider = ad
chpass_provider = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
ldap_group_nesting_level = 2
enumerate = TrueErwartungshaltung:SMB-Zugriff in Dolphin ohne erneute Passwortabfrage (Kerberos SSO)
Kerberos-Ticket ist vorhanden:klistTicketzwischenspeicher: FILE:/tmp/krb5cc_2016_rBjlO1
Standard-Principal: s.me@LAN.EXAMPLE.COM
Valid starting Expires Service principal
26.01.2026 11:38:35 26.01.2026 21:38:35 krbtgt/LAN.EXAMPLE.COM@LAN.EXAMPLE.COMSMB mit Kerberos funktioniert außerhalb von Plasma (libsmbclient):smbclient -k -L srv01.lan.example.com
Sharename Type Comment
--------- ---- -------
netlogon Disk Domain logon service
sysvol Disk
Bilder Disk
...-> Kein Passwortprompt → Kerberos + Samba Client OK
KIO-SMB Plugin ist vorhanden (Plasma 6 / KF6):find /usr/lib -name smb.so
/usr/lib/x86_64-linux-gnu/qt6/plugins/kf6/kio/smb.soKIO-SMB ist korrekt gegen Kerberos/GSSAPI gelinkt:ldd /usr/lib/x86_64-linux-gnu/qt6/plugins/kf6/kio/smb.so | grep -E 'gssapi|krb5'
libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3
libauthkrb5-private-samba.so.0 => ...KIO-SMB Kerberos explizit aktiviert (modern, Plasma 6):# ~/.config/kio_smbrc
[SMB]
UseKerberos=true-> Wird ignoriert.
Ergebnis:IO-SMB (KF6 / Plasma 6.5.x) nutzt aktuell kein vorhandenes Kerberos-Ticket für non-interactive SSO.
Trotz korrekter Domänenintegration, gültigem TGT und korrekt gelinktem Plugin fällt Dolphin immer auf interaktive Authentifizierung zurück.
Habe ich etwas übersehen bzw. einen Fehler gemacht ?
