[Samba] smbclient -k fails

Aden, Steve saden at itscommunications.com
Wed Mar 17 16:26:24 GMT 2004

	I'm no expert, but I don't believe you would specify -k and -U
at the same time. You can get a kerberos ticket by using the kinit
command such as "kinit <user>@REALM". Once completed successfully, you
could do "smbclient -k -L <server>". You can see your kerberos tickets
by using the command klist.


Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS

-----Original Message-----
From: Christian HAESSIG [mailto:christian.haessig at ircad.u-strasbg.fr] 
Sent: Wednesday, March 17, 2004 11:04 AM
To: samba at lists.samba.org
Subject: [Samba] smbclient -k fails

Hello the list,

I have a problem using smbclient with samba 3.0.2a + kerberos, in a
AD environment.

When I run

smbclient -k -U <AD user> -L <server>

where <AD user> is an AD user, and <server> the samba server OR the AD
controller, I get the following error :

krb5_cc_get_principal failed (No credentials cache found)
spnego_gen_negTokenTarg failed: No credentials cache found
session setup failed: NT_STATUS_OK

But without the -k, it works without problem.

Has someone any idea ?


Here is my krb5.conf file :

  default = FILE:/var/log/krb5/libs.log
  kdc = FILE:/var/log/krb5/kdc.log
  admin_server = FILE:/var/log/krb5/admin.log

  ticket_lifetime = 24000
  default_realm = IRCAD.FR
  default_tgs_enctypes = des-cbc-crc des-cbc-md5
  default_tkt_enctypes = des-cbc-crc des-cbc-md5
  forwardable = true
  proxiable = true
  dns_lookup_realm = true
  dns_lookup_kdc = true

  IRCAD.FR = {
    kdc = ircadsrv.ircad.fr:88
    default_domain = ircad.fr

   .ircad.fr = IRCAD.FR
   ircad.fr = IRCAD.FR

   profile = /var/kerberos/krb5kdc/kdc.conf

   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

and this is my smb.conf file :

   workgroup = D_IRCAD
   netbios name = PRINTSRV2
   client use spnego = yes
   server string = %h server (Samba %v)

   wins support = no
   wins server =
   dns proxy = no

   log file = /var/log/samba/log.%m
   log level = 3
   max log size = 1000

   syslog = 0

####### winbindd configuration
  winbind separator = +
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
  template homedir = /home/%D/%U
  template shell = /bin/bash

####### Authentication #######

   security = ads
   password server = IRCADSRV
   realm = IRCAD.FR
   encrypt passwords = yes
   passdb backend = tdbsam guest
   invalid users = root

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .

########## Printing ##########

Christian Haessig

To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BE08a5a012.00000001.mml

More information about the samba mailing list