smbclient -k -L localhost failed on samba-3.5.9

jinyunshuai jinyunshuai at 126.com
Mon Jun 20 00:55:17 MDT 2011 

Thanks very much for explaining ,
 
I have another problem:
I have two domains which trusted each other(samba1.test, samba2.test)
1) the samba server(host name is debian5) joined to samba1,  and login with samba2's user.
   successful
2)run "smbclient -k  //debian5/sharedir "  , it is failed and get follows error message:
ads_krb5_mk_req: smb_krb5_get_credentials failed forcifs/debian5 at SAMBA2.TEST (Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in Kerberos database
session setup failed: SUCCESS - 0
I  have tested on samba-3.5.8 with above steps, that did not have this issue.
 is it an intentional change? or new bug?
 
 thanks in advance!

 

 

 



At 2011-06-17 14:55:36,"Andrew Bartlett" <abartlet at samba.org> wrote:

>On Fri, 2011-06-17 at 14:12 +0800, jinyunshuai wrote:
>> Hi,
>> Now I have gotten samba-3.5.9 and installed.
>> By  testing I found a problem:
>> 
>> 1)  join my test machine to asmb.test domain and  login with domain user.
>> 2)When I  use the command of " smbclient -k -L localhost "  to show share dir,
>>  I get the follows errors:
>> ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost at ASMB.TEST
>> (Server not found in Kerberos database)
>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in
>> Kerberos database
>> session setup failed: SUCCESS - 0
>> 
>> but when  I use  the " smbclient -k -L debian5  (debian5 is hostname)" command It can work well.
>> 
>> I also have tested with samba-3.5.8, that did not have this issue.
>> 
>> I do not know why, is this samba-3.5.9's new bug?
>> thanks in advance
> 
>This is an intentional change, required to fix bug 7893.  The problem in
>your situation is that 'localhost' is not a registered name of your host
>with your KDC.  We apologise for not explaining the full implications of
>this in the release notes, but here is the explanation I wrote after
>realising the release had already been cut:
>
>Samba now follows windows behaviour as a kerberos client, requesting a
>CIFS/ ticket (bug 7893)
> 
>New Kerberos behaviour
>----------------------
>
>A new parameter 'client use spnego principal' defaults to 'no' and
>mean Samba will use CIFS/hostname to obtain a kerberos ticket, acting
>more like Windows when using Kerberos against a CIFS server in
>smbclient, winbind and other Samba client tools.  This will change
>which servers we will successfully negotiate kerberos connections to.
>This is due to Samba no longer trusting a server-provided hint which
>is not available from Windows 2008 or later.  For correct operation
>with all clients, all aliases for a server should be recorded as a as
>a servicePrincipalName on the server's record in AD.
>
>We apologise for the inconvenience, but feel that this change was
>required to better match Windows behaviour in this area.
>
>Andrew Bartlett
>
>-- 
>Andrew Bartlett                                http://samba.org/~abartlet/
>Authentication Developer, Samba Team           http://samba.org
>

More information about the samba-technical mailing list