smbclient -k -L localhost failed on samba-3.5.9
jinyunshuai at 126.com
Mon Jun 20 00:55:17 MDT 2011
Thanks very much for explaining ,
I have another problem:
I have two domains which trusted each other(samba1.test, samba2.test)
1) the samba server(host name is debian5) joined to samba1, and login with samba2's user.
2)run "smbclient -k //debian5/sharedir " , it is failed and get follows error message:
ads_krb5_mk_req: smb_krb5_get_credentials failed forcifs/debian5 at SAMBA2.TEST (Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in Kerberos database
session setup failed: SUCCESS - 0
I have tested on samba-3.5.8 with above steps, that did not have this issue.
is it an intentional change? or new bug?
thanks in advance!
At 2011-06-17 14:55:36，"Andrew Bartlett" <abartlet at samba.org> wrote:
>On Fri, 2011-06-17 at 14:12 +0800, jinyunshuai wrote:
>> Now I have gotten samba-3.5.9 and installed.
>> By testing I found a problem:
>> 1) join my test machine to asmb.test domain and login with domain user.
>> 2)When I use the command of " smbclient -k -L localhost " to show share dir,
>> I get the follows errors:
>> ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost at ASMB.TEST
>> (Server not found in Kerberos database)
>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in
>> Kerberos database
>> session setup failed: SUCCESS - 0
>> but when I use the " smbclient -k -L debian5 (debian5 is hostname)" command It can work well.
>> I also have tested with samba-3.5.8, that did not have this issue.
>> I do not know why, is this samba-3.5.9's new bug?
>> thanks in advance
>This is an intentional change, required to fix bug 7893. The problem in
>your situation is that 'localhost' is not a registered name of your host
>with your KDC. We apologise for not explaining the full implications of
>this in the release notes, but here is the explanation I wrote after
>realising the release had already been cut:
>Samba now follows windows behaviour as a kerberos client, requesting a
>CIFS/ ticket (bug 7893)
>New Kerberos behaviour
>A new parameter 'client use spnego principal' defaults to 'no' and
>mean Samba will use CIFS/hostname to obtain a kerberos ticket, acting
>more like Windows when using Kerberos against a CIFS server in
>smbclient, winbind and other Samba client tools. This will change
>which servers we will successfully negotiate kerberos connections to.
>This is due to Samba no longer trusting a server-provided hint which
>is not available from Windows 2008 or later. For correct operation
>with all clients, all aliases for a server should be recorded as a as
>a servicePrincipalName on the server's record in AD.
>We apologise for the inconvenience, but feel that this change was
>required to better match Windows behaviour in this area.
>Andrew Bartlett http://samba.org/~abartlet/
>Authentication Developer, Samba Team http://samba.org
More information about the samba-technical