[Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
Dirk Jakobsmeier
dirk.jakobsmeier at wige.com
Mon Oct 12 23:03:47 MDT 2009
Hello Mark,
Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark:
> Here's some things from log level 99:
>
> [2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn)
> name_to_fqdn: lookup for HOSTNAME -> hostname.domain.wustl.edu.
> [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
> ads_keytab_verify_ticket:
> krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl.edu at D
> OMAIN.WUSTL.EDU) failed: Wrong principal in request
> [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
> ads_keytab_verify_ticket:
> krb5_rd_req_return_keyblock_from_keytab(host/hostname at DOMAIN.WUSTL.EDU)
> failed: Wrong principal in request
> [2009/10/12 09:43:53, 3]
> libads/kerberos_verify.c:266(ads_keytab_verify_ticket)
> ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
> principals
> [2009/10/12 09:43:53, 3]
> libads/kerberos_verify.c:567(ads_verify_ticket)
> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
> request)
> [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:576(ads_verify_ticket)
> ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
i've found several informations about "wrong principal in request" errors
pointing to a name resolution problem. Can you check dns, /etc/hosts ...?
>
> I cut some of that out - it tried each name 6 times, hence the 12?
> Looking at the system keytab, and the computer account in AD, everything
> seems to match. FWIW, if I leave the domain and come back specifying the
> remaining 2003 server as the password server, this all looks the same
> and seems to work....
>
> How much does capitalization matter? ADSIEDIT shows the
> ServicePrincipalNames as
>
> HOST/hostname.domain.wustl.edu
> HOST/HOSTNAME
>
> Where the keytab is:
>
> host/hostname.domain.wustl.edu
> host/hostname
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Dirk Jakobsmeier
> Sent: Thursday, October 08, 2009 10:57 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
>
> Hello Mark,
>
> Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark:
> > Hello! I'm having an odd issue between Samba and Win2k8R2. We updated
> > one of our domain controllers to 2k8R2, and as such are working in a
> > 2003-level AD environment. If I force the 'password server' to the
>
> 2003
>
> > DC, then everything works fine, only working against the 2008 box has
> > issues.
>
> we have several issues here depending on one of our servers (2008). E.g.
>
> domainnames (username at domainname) has to be written in capital lettres
> when
> connecting to shares...
>
> > \\128.252.123.123\sharename <file:///\\128.252.123.123\sharename>
> >
> > And it works as expected - my clients are in the same domain, no
> > password is asked for, etc.
> >
> > Using any form of the hostname in the URI, either \\hostname\sharename
> > <file:///\\hostname\sharename> or \\hostname.domain.name\sharename
> > <file:///\\hostname.domain.name\sharename> in the URI will
>
> continually
>
> > prompt for a password. Using 'smbclient' with the names in the URI on
> > the Samba box itself works fine.
> >
> >
> > log level = 1
>
> did you try to set this to a higher level (and restart samba)? I always
> use 99
> so i get large logfiles with nearly all informations i need. The
> clientlog
> (log.clienthostname or log.clientip) could be interresting.
>
--
Mit freundlichem Gruß
Dirk Jakobsmeier / Systembetreuung
__________________________________________________________________________________________________________________
WIGE Konstruktionen GmbH & Co. KG
Sitz Ravensburg
Amtsgericht Ravensburg HRA Nr. 1493
Schwanenstrasse 4, 88214 Ravensburg
Tel: 0751 / 36609 - 29
Fax: 0751 / 36609 - 66
Persönlich haftende Gesellschafterin:
WIGE Konstruktionen Verwaltungsgesellschaft mbH
Amtsgericht Ravensburg HRB Nr. 2534
Geschäftsführer: Eduard, Thomas & Jochen Geschwentner
Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen
enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
löschen Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe
dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and delete this e-mail. Any unauthorized
copying, disclosure or distribution of contents of this e-mail is strictly
forbidden.
More information about the samba
mailing list