smbclient -k -L localhost failed on samba-3.5.9

Andrew Bartlett abartlet at
Fri Jun 17 00:55:36 MDT 2011

On Fri, 2011-06-17 at 14:12 +0800, jinyunshuai wrote:
> Hi,
> Now I have gotten samba-3.5.9 and installed.
> By  testing I found a problem:
> 1)  join my test machine to asmb.test domain and  login with domain user.
> 2)When I  use the command of " smbclient -k -L localhost "  to show share dir,
>  I get the follows errors:
> ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost at ASMB.TEST
> (Server not found in Kerberos database)
> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in
> Kerberos database
> session setup failed: SUCCESS - 0
> but when  I use  the " smbclient -k -L debian5  (debian5 is hostname)" command It can work well.
> I also have tested with samba-3.5.8, that did not have this issue.
> I do not know why, is this samba-3.5.9's new bug?
> thanks in advance
This is an intentional change, required to fix bug 7893.  The problem in
your situation is that 'localhost' is not a registered name of your host
with your KDC.  We apologise for not explaining the full implications of
this in the release notes, but here is the explanation I wrote after
realising the release had already been cut:

Samba now follows windows behaviour as a kerberos client, requesting a
CIFS/ ticket (bug 7893)
New Kerberos behaviour

A new parameter 'client use spnego principal' defaults to 'no' and
mean Samba will use CIFS/hostname to obtain a kerberos ticket, acting
more like Windows when using Kerberos against a CIFS server in
smbclient, winbind and other Samba client tools.  This will change
which servers we will successfully negotiate kerberos connections to.
This is due to Samba no longer trusting a server-provided hint which
is not available from Windows 2008 or later.  For correct operation
with all clients, all aliases for a server should be recorded as a as
a servicePrincipalName on the server's record in AD.

We apologise for the inconvenience, but feel that this change was
required to better match Windows behaviour in this area.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list