[Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?
Paul Sobey
buddha at the-annexe.net
Wed Nov 12 09:59:05 GMT 2008
On Wed, 5 Nov 2008, Paul Sobey wrote:
> I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join to a
> Windows 2008 domain works perfectly, having pre-created the servername in the
> appropriate OU.
>
> In my winbind logs, I see the following (domain name obfuscated):
> [2008/11/05 11:28:06, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(619)
> Doing kerberos session setup
>
> [2008/11/05 11:28:06, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
> ads_krb5_mk_req: krb5_get_credentials failed for server$@FOO (Cannot
> resolve network address for KDC in requested realm)
>
> [2008/11/05 11:28:06, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626)
> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve
> network address for KDC in requested realm
>
> The realm is guessed wrongly - only the short name of the domain, rather than
> the fully qualified realm name, as specified in krb5.conf.
>
> My AD full name is foo.bar.com, short name FOO. My question is - when
> guessing the principal for the target DC, why does Samba guess 'FOO', rather
> than 'FOO.BAR.COM'? I have a Linux machine joined to the same domain running
> 3.0.28 which correctly guesses the realm.
Not sure whether this helps diagnose, but I just upgraded my Linux desktop
to Samba 3.2.4 and now get exactly the same error - winbind is refusing to
authenticate me at all. In my pam.conf I have krb5_auth set to try and
make winbind authenticate my via kerberos.
How can I troubleshoot this? It seems Samba 3.2.4 gets the Kerberos realm
wrong when authenticating against Windows 2008. I thought it was a
Solaris issue before but it seems to be OS independent. Is anybody else
seeing it?
Cheers,
Paul
More information about the samba
mailing list