smbclient -k //debian5/sharedir can not work with a trusted domain user

Andrew Bartlett abartlet at
Tue Jun 21 16:48:26 MDT 2011

On Tue, 2011-06-21 at 22:40 +0800, jinyunshuai wrote:
> Hi ,
> I have a problem:
> I have two domains which trusted each other(samba1.test, samba2.test)
> 1) the samba server(host name is debian5) joined to samba1,  and login with samba2's user.
>    successful
> 2)run "smbclient -k  //debian5/sharedir "  , it is failed and get follows error message:
> ads_krb5_mk_req: smb_krb5_get_credentials failed forcifs/debian5 at SAMBA2.TEST (Server not found in Kerberos database)
> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in Kerberos database
> session setup failed: SUCCESS - 0
> I  have tested on samba-3.5.8 with above steps, that did not have this issue.
> is it an intentional change? or new bug?

The change here was intentional, but we certainly did not fully
anticipate the variety of different Kerberos configurations that Samba
would be deployed into.  It was not our intention to break working
setups with a 3.5 change. 

In your situation, we need to give Samba and Kerberos a clue as to what
host is in what realm. 

There are three ways that the 3.5.9 codebase will use to determine this:
 - use a fully qualified name (where the DNS domain matches the realm,
either directly or via the krb5.conf mapping)
 - set 'realm' in your smb.conf
 - set 'client use spnego principal = true' to again trust the clue from
the remote host. 

Any of these should fix the issue for you.  

We do apologise for the inconvenience,

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list