[Samba] Logon Failure: The target account name is incorrect

[Todd Stecher]

On Thu, 2006-02-23 at 13:16 -0800, Richard Verdugo wrote:
> Hi,
> I'm using FC3 with samba 3.0 trying to be part of a Windows 2000 AD.
> When I try to access a samba share it gives me: Logon Failure: The target
> account name is incorrect
> 

This error happens when the target server cannot decrypt the service
ticket presented to it.


> 
> The Active Directory domain for our small inhouse private network is
> MBB.COM, we have our own nameservers that list the samba server in our
> company domain, which is epublishers.com. So to reach the samba server we
> would go to sambaserver.epublishers.com for example.
> 
> Does this look right, or is it possible that the 2 different domain names
> are somehow causing a conflict?
> 

In most cases, this is because you have a server in the client's realm
with a servicePrincipalName attribute (e.g. host/server) matching that
of the "true" destination service in another realm.

When the client asks for a service ticket to host/server, they end up
with a service ticket to the service account in the client realm, not
the remote realm.  See the kerberos troubleshooting whitepaper at
http://www.microsoft.com/kerberos for more details on this error, and
how to remedy it.

Generically speaking, this can be solved by either:

1) accessing the remote server by its FQDN (e.g. net use * \
\server.sambaserver.epublishers.com) (I'm assuming you're accessing the
service via the NETBIOS name).

2) Checking for a matching service account in the client realm, and
deleting it (or renaming it).



> thank you.