[Samba] Failed to verify incoming ticket! When clients use netbios names only!

m.bland m.bland at momac.net
Wed Apr 4 14:48:11 GMT 2007

    I have set up our samba box in 'ADS' mode; the problem I have is clients
connecting to the server can not do so by using its netbios name. Only when
they use the IP address of the machine are they able to be authenticated and
browse the box.
When clients connect via the netbios name this message will appear in my
samba logs with the IP of the connecting client;
    "smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming
Additionally, If a client connects successfully via the IP of the samba
server, the log file is named in the clients netbios name rather than their
    eg machinenetbiosname.log will contain
    [2007/04/04 15:13:00, 1] smbd/service.c:make_connection_snum(642)
  netbiosnameofmachine ( signed connect to service data
initially as user DOMAIN+gorby (uid=10002, gid=10004) (pid 4329)
Can some one tell me what's happening here? ;)
thor:/var/log/samba# cat /etc/samba/smb.conf
winbind use default domain = yes
winbind separator = +
client use spnego = yes
use spnego = yes
server signing = auto
client signing = auto
netbios name = THOR
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
workgroup = DOMAIN
server string = Thor
security = ads
hosts allow = 192.168.16.
load printers = no
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = SERVER01
encrypt passwords = yes
realm = DOMAIN
passdb backend = tdbsam
local master = no
domain master = no
wins support = no
wins server =
dns proxy = no
hostname lookups = yes
name resolve order = lmhosts host wins dns bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        comment = 
        path = /data
        Valid Users = +DOMAIN+"domain users"
        writeable = yes
        browseable = yes
        comment = FTP area
        path = /data/ftp
        Valid Users = +DOMAIN+"domain users"
        writeable = yes
        browseable = yes
wbinfo -u works!
wbinfo -g works
passwd:     files winbind
shadow:     files winbind
group:      files winbind
#hosts:     db files nisplus nis dns
hosts:      files winbind
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus

cat /etc/resolv.conf

nameserver (also the PDC)

thor:/var/log/samba# cat /etc/hosts       localhost.localdomain   localhost    thor.DOMAIN.NAME      thor    server01.DOMAIN.NAME  server01

thor:/var/log/samba# kinit administrator@ <mailto:administrator at DOMAIN.NAME>
 <mailto:administrator at MOMACUK.LOCAL's> administrator@
<mailto:administrator at DOMAIN.NAME> DOMAIN.NAME
<mailto:administrator at MOMACUK.LOCAL's> 's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
thor:/var/log/samba# cat /etc/krb5.conf
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default_realm = DOMAIN.NAME
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 krb4_get_tickets = false
  kdc = server01:88
 .server01 = DOMAIN.NAME
 server01 = DOMAIN.NAME
 profile = /var/lib/heimdal-kdc/kdc.conf
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

More information about the samba mailing list