[Samba] winbind/samba 3.0.1-1 fails to store machine account password when joining ADS

Lewis Shobbrook lshobbrook at fasttrack.net.au
Tue Jan 6 03:46:12 GMT 2004


Hi All,

The latest Debian unstable release of samba 3.0.1-1 appears to be fail
in storing the machine account password when joining a 2000 AD domain.
kinit user at realm works fine, as does net ads join suggesting the issue
is not related kerberos misconfiguration.

klist indicates no cached tickets, until kinit is used. 

and winbindd.log shows the following entries when winbindd starts.

libsmb/clikrb5.c:ads_krb5_mk_req(269)
krb5_cc_get_principal failed (No credentials cache found)

libads/kerberos.c:ads_kinit_password(133)
 kerberos_kinit_password HOST/SERVER at REALM failed: Client not found in
Kerberos database

We can see from the logs that the winbindd is attempting to initiate the
connection to the domain using kerberos ticket associated with the
machine account, but it isn't there. 

The file secrets.tdb doesn't exist, neither does smbpasswd for that
matter (not that it is specifically needed).  The process of storing the
machine account details was automated in the last version prior to this
current relase.  It is apparently broken.  

All attempts to access shares fail with

smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!

Am I missing something??

Cheers,

Lewis






More information about the samba mailing list