[Samba] krb5_get_credentials failed

Matt McParland matt at engsoc.org
Wed Dec 17 19:57:24 GMT 2003 

Using Samba 3.0.1 packages from samba.org on RH 8.0 kernel 2.4.20.

I'm trying to get winbindd configured so that we can do single-sign on
across Win2k file servers and Samba file servers with ADS.  I've configured 
Samba to do shares but it prompts for username/password unless the user/pass exists in smbpassword.

'net ads join' was successful and secrets.tdb was modified.  The computer account shows up in ADS.  There is a unix account created for the computer accont (computer-name$).  

Unfortunately, I only had temporary access to create computer accounts.  To remove and add the computer account again (running net ads join again) would require many phone calls.  I'm not sure if that part of the process is failing.  It appears not, since the command executes with no error output and secrets.tdb is modified.

I'm able to get kerberos tickets from the command line with kinit, but
winbind seems to have trouble connecting to ADS and 'wbinfo -u' doesn't
work.

I've included configuration files and what I thought was the relevant part of the log.  


smb.conf:

[global]
        workgroup = DOMAIN
        realm = REALM
        server string = fileserver
        security = ADS
        password server = pdc
        log level = 1
        log file = /var/log/samba/%m.log
        max log size = 0
        preferred master = No
        local master = No
        domain master = No
        enhanced browsing = No
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        winbind use default domain = Yes

krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = REALM

[realms]
REALM = {
  kdc = pdc 
 }

[domain_realm]
 .pdc = REALM



Relevant parts of winbindd.log:

[2003/12/17 14:37:30, 5] nsswitch/winbindd_cm.c:cm_open_connection(178)
  connecting to pdc from fileserver with kerberos principal [fileserver$@REALM]
[2003/12/17 14:37:30, 2] libsmb/cliconnect.c:cli_session_setup_spnego(665)
  Doing spnego session setup (blob length=106)
[2003/12/17 14:37:30, 3] libsmb/cliconnect.c:cli_session_setup_spnego(690)
  got OID=1 2 840 48018 1 2 2
[2003/12/17 14:37:30, 3] libsmb/cliconnect.c:cli_session_setup_spnego(690)
  got OID=1 2 840 113554 1 2 2
[2003/12/17 14:37:30, 3] libsmb/cliconnect.c:cli_session_setup_spnego(690)
  got OID=1 2 840 113554 1 2 2 3
[2003/12/17 14:37:30, 3] libsmb/cliconnect.c:cli_session_setup_spnego(690)
  got OID=1 3 6 1 4 1 311 2 2 10
[2003/12/17 14:37:30, 3] libsmb/cliconnect.c:cli_session_setup_spnego(697)
  got principal=pdc$@REALM
[2003/12/17 14:37:30, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(509)
  Doing kerberos session setup
[2003/12/17 14:37:30, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276)
  krb5_get_credentials failed for pdc$@REALM (Ticket expired)
[2003/12/17 14:37:30, 4] nsswitch/winbindd_cm.c:cm_open_connection(185)
  failed kerberos session setup with NT_STATUS_UNSUCCESSFUL
[2003/12/17 14:37:30, 5] nsswitch/winbindd_cm.c:cm_open_connection(219)
  anonymous connection attempt to pdc from fileserver


-- 
Matt McParland

More information about the samba mailing list