smbclient -k //debian5/sharedir can not work with a trusted domain user

jinyunshuai jinyunshuai at
Tue Jun 21 20:21:44 MDT 2011

Thanks very much for reply !
according to Andrew Bartlett's reply

I additionally  add 'client use spengo principal=true' (I original have set 'realm = SAMBA1.TEST') in smb.conf file

it can work well.

Thanks again!

At 2011-06-22 06:48:26,"Andrew Bartlett" <abartlet at> wrote:

>On Tue, 2011-06-21 at 22:40 +0800, jinyunshuai wrote:
>> Hi ,
>> I have a problem:
>> I have two domains which trusted each other(samba1.test, samba2.test)
>> 1) the samba server(host name is debian5) joined to samba1,  and login with samba2's user.
>>    successful
>> 2)run "smbclient -k  //debian5/sharedir "  , it is failed and get follows error message:
>> ads_krb5_mk_req: smb_krb5_get_credentials failed forcifs/debian5 at SAMBA2.TEST (Server not found in Kerberos database)
>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in Kerberos database
>> session setup failed: SUCCESS - 0
>> I  have tested on samba-3.5.8 with above steps, that did not have this issue.
>> is it an intentional change? or new bug?
>The change here was intentional, but we certainly did not fully
>anticipate the variety of different Kerberos configurations that Samba
>would be deployed into.  It was not our intention to break working
>setups with a 3.5 change. 
>In your situation, we need to give Samba and Kerberos a clue as to what
>host is in what realm. 
>There are three ways that the 3.5.9 codebase will use to determine this:
> - use a fully qualified name (where the DNS domain matches the realm,
>either directly or via the krb5.conf mapping)
> - set 'realm' in your smb.conf
> - set 'client use spnego principal = true' to again trust the clue from
>the remote host. 
>Any of these should fix the issue for you.  
>We do apologise for the inconvenience,
>Andrew Bartlett
>Andrew Bartlett                      
>Authentication Developer, Samba Team 

More information about the samba-technical mailing list