[Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?

Paul Sobey buddha at the-annexe.net
Wed Nov 5 12:58:48 GMT 2008

I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join 
to a Windows 2008 domain works perfectly, having pre-created the 
servername in the appropriate OU.

In my winbind logs, I see the following (domain name obfuscated):

[2008/11/05 11:28:06,  3] 
   got principal=not_defined_in_RFC4178 at please_ignore

[2008/11/05 11:28:06,  3] 
   cli_session_setup_spnego: got a bad server principal, trying to guess 

[2008/11/05 11:28:06,  3] 
   cli_session_setup_spnego: guessed server principal=server$@FOO

[2008/11/05 11:28:06,  2] 
   Doing kerberos session setup

[2008/11/05 11:28:06,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
   ads_krb5_mk_req: krb5_get_credentials failed for server$@FOO (Cannot 
resolve network address for KDC in requested realm)

[2008/11/05 11:28:06,  1] 
   cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot 
resolve network address for KDC in requested realm

The realm is guessed wrongly - only the short name of the domain, rather 
than the fully qualified realm name, as specified in krb5.conf.

My AD full name is foo.bar.com, short name FOO. My question is - when 
guessing the principal for the target DC, why does Samba guess 'FOO', 
rather than 'FOO.BAR.COM'? I have a Linux machine joined to the same 
domain running 3.0.28 which correctly guesses the realm.

[2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(828)
   got principal=not_defined_in_RFC4178 at please_ignore
[2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(880)
   cli_session_setup_spnego: got a bad server principal, trying to guess 
[2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(903)
   cli_session_setup_spnego: guessed server 

Relevant pieces from smb.conf:

realm = FOO.BAR.COM
workgroup = FOO
winbind separator = +
winbind use default domain = yes
idmap backend = ad
winbind nss info = rfc2307
use kerberos keytab = yes
client lanman auth = no
client ntlmv2 auth = yes
idmap uid = 10000-15000
idmap gid = 5000-6000
winbind refresh tickets = yes

As far as I can tell, name resolution etc. is correct on both machines. 
Net ads status returns proper (fqdn) names, and klist -k shows fully 
qualified principals populated into the keytab file by net ads join. I 
should add that wbinfo -u returns the correct users, as does getent passwd 
(with uids, gids, etc. as expected). My concern is that because Kerberos 
negotiation is apprently failing, winbind is failing back to ntlm methods 
of authentication, which I'd rather avoid. If the error message I'm seeing 
is benign and I should ignore, let me know.


More information about the samba mailing list