smbclient -k -L localhost failed on samba-3.5.9
Andrew Bartlett
abartlet at samba.org
Fri Jun 17 00:55:36 MDT 2011
On Fri, 2011-06-17 at 14:12 +0800, jinyunshuai wrote:
> Hi,
> Now I have gotten samba-3.5.9 and installed.
> By testing I found a problem:
>
> 1) join my test machine to asmb.test domain and login with domain user.
> 2)When I use the command of " smbclient -k -L localhost " to show share dir,
> I get the follows errors:
> ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost at ASMB.TEST
> (Server not found in Kerberos database)
> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in
> Kerberos database
> session setup failed: SUCCESS - 0
>
> but when I use the " smbclient -k -L debian5 (debian5 is hostname)" command It can work well.
>
> I also have tested with samba-3.5.8, that did not have this issue.
>
> I do not know why, is this samba-3.5.9's new bug?
> thanks in advance
This is an intentional change, required to fix bug 7893. The problem in
your situation is that 'localhost' is not a registered name of your host
with your KDC. We apologise for not explaining the full implications of
this in the release notes, but here is the explanation I wrote after
realising the release had already been cut:
Samba now follows windows behaviour as a kerberos client, requesting a
CIFS/ ticket (bug 7893)
New Kerberos behaviour
----------------------
A new parameter 'client use spnego principal' defaults to 'no' and
mean Samba will use CIFS/hostname to obtain a kerberos ticket, acting
more like Windows when using Kerberos against a CIFS server in
smbclient, winbind and other Samba client tools. This will change
which servers we will successfully negotiate kerberos connections to.
This is due to Samba no longer trusting a server-provided hint which
is not available from Windows 2008 or later. For correct operation
with all clients, all aliases for a server should be recorded as a as
a servicePrincipalName on the server's record in AD.
We apologise for the inconvenience, but feel that this change was
required to better match Windows behaviour in this area.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list