[Samba] ADS and Winbind ... Can't access with Samba host name ...

Fernando Ruza fernandor at sescam.jccm.es
Fri Dec 19 13:45:42 GMT 2003 

Same problem, same error log messages. I'm using samba 3.0.1rc2 with
kerberos 1.3.1. Everything following is working:

wbinfo -u, wbinfo -g, getent passwd, getent group
wbinfo -I ip_address, wbinfo -N netbios_name
smbclient //Server/share -k
net lookup dc
net lookup kdc -> No output, and echo $? gives me: 255

Connecting from Win2k/XP clients to a samba share (share with valid user
option in smb.conf) using netbios name it doesn't work, using IP address
it works.

When I use IP address it uses NTLM authentication, that's why it works,
however when I use netbios name it uses kerberos and that's what it
doesn't work. I think it's something wrong in the configuration of
kerberos. My krb5.conf file is:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = HGUV.LOCAL
 default_tgs_enctypes = des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 clockskew = 600
 dns_lookup_realm = false
 dns_lookup_kdc = false
 kdc_req_checksum_type = 2
 checksum_type = 2
 ccache_type = 1
 forwardable = true
 proxiable = true

[realms]
 HGUV.LOCAL = {
  kdc = 10.36.192.24:88
  admin_server = 10.36.192.24:749
  default_domain = hguv.local
 }

[domain_realm]
 .hguv.local = HGUV.LOCAL
 hguv.local = HGUV.LOCAL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[login]
 krb4_convert = false
 krb4_get_tickets = false


Thanks for any reply.

Regards,

Fernando.



On Fri, 2003-12-19 at 05:50, Peter wrote:
> It appears there are a number of us with this exact same problem. I
> posted this same question a few days ago and have seen 2 or 3 others
> mention the same symptoms since then but have yet to see any specific
> sollution.
>
> I assumed this would be an issue with WINS but I've tested WINS lookups
> from both Windows clients, Linux clients and Samba server and all seem
> to function properly.
>
> The fact that my net lookup all work fine is the only difference between
> our problems.
>
> [log.smbd]
>
> [2003/12/17 18:40:04, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>   Failed to verify incoming ticket!
>
> [lob.winbindd]
>
> [2003/12/17 18:39:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
>   krb5_cc_get_principal failed (No credentials cache found)
>
>
> Would appreciate some direct answers to this problem regarding WINS host
> vs. IP address share mapping from Windows clients.
>
> Thanks,
>
> Peter
>
>
> ________________________________________________________________________
> > From: C.Lee Taylor <leet at leenx.co.za>
> > To: samba at lists.samba.org
> > Subject: [Samba] ADS and Winbind ... Can't access with Samba host name ...
> > Date: Thu, 18 Dec 2003 16:59:28 +0200
> >
> > Greetings ...
> >
> >     It seems I have really got myself confused ...
> >
> >     I have a Win2K3 ADS domain, I have two FedoraCore systems, one with
> > Samba 3.0.0 and the other with Samba 3.0.1.  Both give me the same problem.
> >
> >     If I try access the Samba shares from Win2K3 using the host number,
> > I get prompted for a username and password, and no matter what I type
> > in, I can't get in.
> >
> >     If I use the Samba server IP address, I am able to get into shares
> > without been prompted for user details, but Point'nPrint don't work, it
> > too requests user details.
> >
> >     I do seem to be getting two errors in my logs ... First in smbd.log
> >
> > [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948)
> >   getpeername failed. Error was Transport endpoint is not connected
> > [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948)
> >   getpeername failed. Error was Transport endpoint is not connected
> >
> >     And the other in the machine log with the IP address eg ...
> >         10.1.1.20.log
> > [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> >   Failed to verify incoming ticket!
> > [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> >   Failed to verify incoming ticket!
> >
> >     But in the machine log with the hostname, I am getting normal
> > messages ...
> >
> >     I have tried to make changes in /etc/krb5.conf, but I don't get any
> > further ...
> >
> >     I have tried a few status checks with net, all hosts work fine ...
> >
> > [root at fd1-test-01 samba]# net lookup ldap
> > 10.1.1.16:389
> > 10.1.1.17:389
> >
> > [root at fd1-test-01 samba]# net lookup dc
> > 10.1.1.16
> > 10.1.1.17
> >
> >     But net lookup kdc, master domain don't return any thing, so I don't
> > know what else to look for ...
> >
> > Thanks
> > Mailed
> > Lee

More information about the samba mailing list