[Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?

Paul Sobey buddha at the-annexe.net
Wed Nov 12 09:59:05 GMT 2008

On Wed, 5 Nov 2008, Paul Sobey wrote:

> I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join to a 
> Windows 2008 domain works perfectly, having pre-created the servername in the 
> appropriate OU.
> In my winbind logs, I see the following (domain name obfuscated):
> [2008/11/05 11:28:06,  2] libsmb/cliconnect.c:cli_session_setup_kerberos(619)
>  Doing kerberos session setup
> [2008/11/05 11:28:06,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
>  ads_krb5_mk_req: krb5_get_credentials failed for server$@FOO (Cannot 
> resolve network address for KDC in requested realm)
> [2008/11/05 11:28:06,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(626)
>  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve 
> network address for KDC in requested realm
> The realm is guessed wrongly - only the short name of the domain, rather than 
> the fully qualified realm name, as specified in krb5.conf.
> My AD full name is foo.bar.com, short name FOO. My question is - when 
> guessing the principal for the target DC, why does Samba guess 'FOO', rather 
> than 'FOO.BAR.COM'? I have a Linux machine joined to the same domain running 
> 3.0.28 which correctly guesses the realm.

Not sure whether this helps diagnose, but I just upgraded my Linux desktop 
to Samba 3.2.4 and now get exactly the same error - winbind is refusing to 
authenticate me at all. In my pam.conf I have krb5_auth set to try and 
make winbind authenticate my via kerberos.

How can I troubleshoot this? It seems Samba 3.2.4 gets the Kerberos realm 
wrong when authenticating against Windows 2008. I thought it was a 
Solaris issue before but it seems to be OS independent. Is anybody else 
seeing it?


More information about the samba mailing list