smbclient -k -L localhost failed on samba-3.5.9

Zombie Ryushu zombie_ryushu at yahoo.com
Fri Jun 17 09:42:45 MDT 2011 

What about OpenLDAP+Heimdal+Samba 3 Domains?

--- On Fri, 6/17/11, Andrew Bartlett <abartlet at samba.org> wrote:

From: Andrew Bartlett <abartlet at samba.org>
Subject: Re: smbclient -k -L localhost  failed  on samba-3.5.9
To: "jinyunshuai" <jinyunshuai at 126.com>
Cc: "samba-technical" <samba-technical at lists.samba.org>
Date: Friday, June 17, 2011, 6:55 AM

On Fri, 2011-06-17 at 14:12 +0800, jinyunshuai wrote:
> Hi,
> Now I have gotten samba-3.5.9 and installed.
> By  testing I found a problem:
> 
> 1)  join my test machine to asmb.test domain and  login with domain user.
> 2)When I  use the command of " smbclient -k -L localhost "  to show share dir,
>  I get the follows errors:
> ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost at ASMB.TEST
> (Server not found in Kerberos database)
> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in
> Kerberos database
> session setup failed: SUCCESS - 0
> 
> but when  I use  the " smbclient -k -L debian5  (debian5 is hostname)" command It can work well.
> 
> I also have tested with samba-3.5.8, that did not have this issue.
> 
> I do not know why, is this samba-3.5.9's new bug?
> thanks in advance
 
This is an intentional change, required to fix bug 7893.  The problem in
your situation is that 'localhost' is not a registered name of your host
with your KDC.  We apologise for not explaining the full implications of
this in the release notes, but here is the explanation I wrote after
realising the release had already been cut:

Samba now follows windows behaviour as a kerberos client, requesting a
CIFS/ ticket (bug 7893)
 
New Kerberos behaviour
----------------------

A new parameter 'client use spnego principal' defaults to 'no' and
mean Samba will use CIFS/hostname to obtain a kerberos ticket, acting
more like Windows when using Kerberos against a CIFS server in
smbclient, winbind and other Samba client tools.  This will change
which servers we will successfully negotiate kerberos connections to.
This is due to Samba no longer trusting a server-provided hint which
is not available from Windows 2008 or later.  For correct operation
with all clients, all aliases for a server should be recorded as a as
a servicePrincipalName on the server's record in AD.

We apologise for the inconvenience, but feel that this change was
required to better match Windows behaviour in this area.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list