smbclient -k -L localhost failed on samba-3.5.9
zombie_ryushu at yahoo.com
Fri Jun 17 09:42:45 MDT 2011
What about OpenLDAP+Heimdal+Samba 3 Domains?
--- On Fri, 6/17/11, Andrew Bartlett <abartlet at samba.org> wrote:
From: Andrew Bartlett <abartlet at samba.org>
Subject: Re: smbclient -k -L localhost failed on samba-3.5.9
To: "jinyunshuai" <jinyunshuai at 126.com>
Cc: "samba-technical" <samba-technical at lists.samba.org>
Date: Friday, June 17, 2011, 6:55 AM
On Fri, 2011-06-17 at 14:12 +0800, jinyunshuai wrote:
> Now I have gotten samba-3.5.9 and installed.
> By testing I found a problem:
> 1) join my test machine to asmb.test domain and login with domain user.
> 2)When I use the command of " smbclient -k -L localhost " to show share dir,
> I get the follows errors:
> ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost at ASMB.TEST
> (Server not found in Kerberos database)
> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in
> Kerberos database
> session setup failed: SUCCESS - 0
> but when I use the " smbclient -k -L debian5 (debian5 is hostname)" command It can work well.
> I also have tested with samba-3.5.8, that did not have this issue.
> I do not know why, is this samba-3.5.9's new bug?
> thanks in advance
This is an intentional change, required to fix bug 7893. The problem in
your situation is that 'localhost' is not a registered name of your host
with your KDC. We apologise for not explaining the full implications of
this in the release notes, but here is the explanation I wrote after
realising the release had already been cut:
Samba now follows windows behaviour as a kerberos client, requesting a
CIFS/ ticket (bug 7893)
New Kerberos behaviour
A new parameter 'client use spnego principal' defaults to 'no' and
mean Samba will use CIFS/hostname to obtain a kerberos ticket, acting
more like Windows when using Kerberos against a CIFS server in
smbclient, winbind and other Samba client tools. This will change
which servers we will successfully negotiate kerberos connections to.
This is due to Samba no longer trusting a server-provided hint which
is not available from Windows 2008 or later. For correct operation
with all clients, all aliases for a server should be recorded as a as
a servicePrincipalName on the server's record in AD.
We apologise for the inconvenience, but feel that this change was
required to better match Windows behaviour in this area.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical