kerberos problem, samba with netbios alias as AD member

Hansjörg Maurer Hansjoerg.Maurer at
Thu Jan 12 07:48:19 GMT 2006


your suggestion solved our problem.

We added 4 entries in servicePrincipalName
which seems to solve the problem.
Additionaly we added
as an additional kerberos name in AD Computer Properties,
but we are not sure, if this is necessary.

The error message does not occur any more

Thank you very much


Andrew Bartlett schrieb:

>On Mon, 2006-01-09 at 11:32 +0100, Hansjörg Maurer wrote:
>>we are running a samba server in a w2k3 AD Domain.
>>The server has the netbios name
>>netbios name = RM-SAMBA01
>>and several netbios aliases
>>When a user connects from a Windows workstation (logged in to the
>>domain) to rm-samba01,
>>hw gets acces without beeing prompted to a password.
>>If he connects to PRINTSERVER he is asked for a password.
>>Even if he enters DOMAIN\username
>>pair, access is denied.
>>samba logs
>>[2005/12/28 21:19:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(180)
>>  Failed to verify incoming ticket!
>>The problem is not reproducable.
>>Some workstation can connect to printserver without a password prompt.
>>I have tried to join the domain
>>with the netbios alias names to,
>>but with no success (join works fine, but problem still exists).
>>net ads join "Computers" -n printserver
>>Do I have to take special care with samba, netbios aliases and kerberos?
>>Do I have to use a special kerberos configuration?
>Yes.  You must expand the list of servicePrincipalName entries in
>Samba's AD entry.  A good LDAP tool should help you there.


Dr.  Hansjoerg Maurer           | LAN- & System-Manager
Deutsches Zentrum               | DLR Oberpfaffenhofen
  f. Luft- und Raumfahrt e.V.   |
Institut f. Robotik             |
Postfach 1116                   | Muenchner Strasse 20
82230 Wessling                  | 82234 Wessling
Germany                         |
Tel: 08153/28-2431              | E-mail: Hansjoerg.Maurer at
Fax: 08153/28-1134              | WWW:

There are 10 types of people in this world, 
those who understand binary and those who don't.

More information about the samba-technical mailing list