[Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2

Bober, Mark mark at seas.wustl.edu
Mon Oct 12 08:56:35 MDT 2009

Here's some things from log level 99:

[2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn)
  name_to_fqdn: lookup for HOSTNAME -> hostname.domain.wustl.edu.
[2009/10/12 09:43:53, 10]
krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl.edu at D
OMAIN.WUSTL.EDU) failed: Wrong principal in request
 [2009/10/12 09:43:53, 10]
krb5_rd_req_return_keyblock_from_keytab(host/hostname at DOMAIN.WUSTL.EDU)
failed: Wrong principal in request
 [2009/10/12 09:43:53,  3]
  ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
[2009/10/12 09:43:53,  3]
  ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
[2009/10/12 09:43:53, 10]
  ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE

I cut some of that out - it tried each name 6 times, hence the 12?
Looking at the system keytab, and the computer account in AD, everything
seems to match. FWIW, if I leave the domain and come back specifying the
remaining 2003 server as the password server, this all looks the same
and seems to work....

How much does capitalization matter? ADSIEDIT shows the
ServicePrincipalNames as


Where the keytab is:


-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Dirk Jakobsmeier
Sent: Thursday, October 08, 2009 10:57 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2

Hello Mark,

Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark:
> Hello! I'm having an odd issue between Samba and Win2k8R2. We updated
> one of our domain controllers to 2k8R2, and as such are working in a
> 2003-level AD environment. If I force the 'password server' to the
> DC, then everything works fine, only working against the 2008 box has
> issues.

we have several issues here depending on one of our servers (2008). E.g.

domainnames (username at domainname) has to be written in capital lettres
connecting to shares...

> \\\sharename <file:///\\\sharename>
> And it works as expected - my clients are in the same domain, no
> password is asked for, etc.
> Using any form of the hostname in the URI, either \\hostname\sharename
> <file:///\\hostname\sharename>  or \\hostname.domain.name\sharename
> <file:///\\hostname.domain.name\sharename>  in the URI will
> prompt for a password.  Using 'smbclient' with the names in the URI on
> the Samba box itself works fine.

> log level = 1

did you try to set this to a higher level (and restart samba)? I always
use 99 
so i get large logfiles with nearly all informations i need. The
(log.clienthostname or log.clientip) could be interresting.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list