[Samba] spnego_gen_negTokenTarg failed: No credentials cache found

Henrik Zagerholm henke at mac.se
Wed Nov 23 08:04:39 GMT 2005 

Hi Roland!

I wonder if you could just try disable "Digitally Sign  
Communications" in the Domain Security Policy. Both client and  
server. Maybe this is something completely different but it puzzles  
me that you cannot connect through Mac OS.

Regards,
Henrik
22 nov 2005 kl. 11.42 skrev Roland Carlsson:

> Hello everybody!
>
> I keep on trying to make my samba installation to work.  I have  
> tried a couple threads before but I have not been able to pinpoint  
> the problem.
>
> So, yesterday I made a second last attempt to solve the problem  
> before my boss forces me to install Windows2003 since it works out  
> of the box.
>
> The scenario is that I'm trying to use Samba (Suse 10) as a  
> fileserver that authenicates against an Active Directory Server  
> 2003 SP1 (all patches).
>
> I can bind my server to the domain.
> I can run wbinfo -g, -t, -u -p without error and get users from AD
> I can run getent groups passwd and get the users and groups from AD
>
> Here are the results from trying to connect to a share with  
> smbclient from localhost:
>
> AQMLIN03:/ # smbclient //aqmlin03/gemensam -U roca1
> Password:
> Domain=[ALFA-MOVING] OS=[Unix] Server=[Samba 3.0.20b-3.1-SUSE]
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> AQMLIN03: # smbclient -k //aqmlin03/gemensam
> ads_krb5_mk_req: krb5_get_credentials failed for cifs/aqmlin03.alfa- 
> moving at ALFA-MOVING.SE (Ticket expired)
> spnego_gen_negTokenTarg failed: Ticket expired
> session setup failed: SUCCESS - 0
> (From localhost I can't use roca1 as user so this was run as root.)
>
> Here are the same smbclient attempts from an OSX client:
>
> PROSIT:~ roca1$ smbclient  //aqmlin03/gemensam -U roca1
> Password:
> Domain=[ALFA-MOVING] OS=[Unix] Server=[Samba 3.0.20b-3.1-SUSE]
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> PROSIT:~ roca1$ smbclient -k //aqmlin03/gemensam
> spnego_gen_negTokenTarg failed: No credentials cache found
> session setup failed: NT_STATUS_OK
>
> When using smbclient -k get the following in log.smbd
> [2005/11/22 11:06:51, 2] smbd/server.c:exit_server(612)
>  Closing connections
>
>
> Using the smbclient -U i get the following in log.smbd:
> [2005/11/22 11:08:10, 0] auth/auth_util.c:make_server_info_info3(1173)
>  make_server_info_info3: pdb_init_sam failed!
> [2005/11/22 11:08:10, 2] auth/auth.c:check_ntlm_password(317)
>  check_ntlm_password:  Authentication for user [roca1] -> [roca1]  
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2005/11/22 11:08:10, 2] smbd/service.c:make_connection_snum(311)
>  guest user (from session setup) not permitted to access this share  
> (gemensam)
> [2005/11/22 11:08:10, 2] smbd/server.c:exit_server(612)
>
> Running testparm gives this (and the shares that I cut out):
>
> AQMLIN03:/var/log/samba # testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[printers]"
> Processing section "[gemensam]"
> Processing section "[jÖnkÖping]"
> Processing section "[gÖteborg]"
> Processing section "[malmÖ]"
> Processing section "[oslo]"
> Processing section "[stockholm]"
> Processing section "[home]"
> Processing section "[milldoc]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
>        workgroup = ALFA-MOVING
>        realm = ALFA-MOVING.SE
>        security = ADS
>        map to guest = Bad User
>        log level = 5
>        preferred master = No
>        local master = No
>        domain master = No
>        dns proxy = No
>        ldap idmap suffix = ou=Idmap
>        ldap machine suffix = ou=Computers
>        ldap suffix = dc=ALFA-MOVING,dc=SE
>        ldap ssl = no
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>        include = /etc/samba/dhcp.conf
>
> The contents of /etc/krb5.conf
> [libdefaults]
>        default_realm = ALFA-MOVING.SE
>
> [realms]
> ALFA-MOVING.SE = {
>        kdc = 192.168.10.10
>        kpasswd_server = 192.168.10.10
> }
>
> [logging]
>        default = SYSLOG:NOTICE:DAEMON
>        kdc = FILE:/var/log/kdc.log
>        kadmind = FILE:/var/log/kadmind.log
>
> [appdefaults]
> pam = {
>        ticket_lifetime = 7d
>        renew_lifetime = 7d
>        forwardable = true
>        proxiable = false
>        retain_after_close = false
>        minimum_uid = 0
>        debug = false
> }
>
> The contents of /etc/nsswitch.conf
> passwd: compat winbind
> group:  compat winbind
>
> hosts:  files dns wins
> networks:       files dns
>
> services:       files
> protocols:      files :
> rpc:    files
> ethers: files
> netmasks:       files
> netgroup:       files
> publickey:      files
>
> bootparams:     files
> automount:      files nis
> aliases:        files
>
>
> Thank you very much in advance
> Roland Carlsson
>
>
>
>
>
>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list