Samba + Heimdal Issue.

Mon Jun 28 11:13:35 MDT 2010

Hello Samba Team,

I am trying to use smbclient -k ( Kerberos tickets got through MS
constrained delegation ) to connect to Win2003 server.

I could connect successfully when I get tickets for the user directly .

###########

# WORKING #

###########

/usr/heimdal/bin/kinit domain_user1 at XXXX.COM

/usr/heimdal/bin/kgetcred CIFS/dev03-w2k3a02.xxxx.com at XXXX.COM

/usr/local/samba/bin/smbclient -k \\\\dev03-w2k3a02.xxxx.com\\share
<file:///\\dev03-w2k3a02.xxxx.com\share>  ( WORKS)

Doing kerberos session setup

ads_krb5_mk_req: Advancing clock by 1974 seconds to cope with clock skew

ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0]
expiration Wed, 16 Jun 2010 19:26:38 PDT

ads_krb5_mk_req: Ticket (dev03-w2k3a02$@XXXX.COM) in ccache
(FILE:/tmp/krb5cc_0) is valid until: (Wed, 16 Jun 2010 19:26:38 PDT -
1276741598)

Got KRB5 session key of length 16

But when I use constrained delegation, Smbclient does not seem to locate
the credentials.

###############

# NOT WORKING #

###############

/usr/heimdal/bin/kinit -c /etc/icache.krb5 --forwardable --no-afslog
--password-file=foopassword proxy_user at XXXX.COM 

/usr/heimdal/bin/kgetcred -c /etc/icache.krb5
--out-cache=/etc/ocache.krb5 --forward
--impersonate=domain_user1 at XXXX.COM proxy_user at XXXX.COM

/usr/heimdal/bin/kgetcred -c /etc/icache.krb5 --out-cache=/tmp/krb5cc_0
--delegation-credential-cache=/etc/ocache.krb5
CIFS/dev03-w2k3a02.xxxx.com at XXXX.COM 

/usr/local/samba/bin/smbclient -k \\\\dev03-w2k3a02.xxxx.com\\share
<file:///\\dev03-w2k3a02.xxxx.com\share>  ( DOES NOT WORK)

Doing kerberos session setup

ads_krb5_mk_req: krb5_get_credentials failed for dev03-w2k3a02$@XXXX.COM
(Matching credential not found)

cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Matching
credential not found

SPNEGO login failed: Matching credential not found

session setup failed: SUCCESS - 0

Any help would be much appreciated.

Regards,

Mohan