[Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2

Mon Oct 12 23:03:47 MDT 2009

Hello Mark,

Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark:
> Here's some things from log level 99:
> 
> [2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn)
>   name_to_fqdn: lookup for HOSTNAME -> hostname.domain.wustl.edu.
> [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
>   ads_keytab_verify_ticket:
> krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl.edu at D
> OMAIN.WUSTL.EDU) failed: Wrong principal in request
>  [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
>   ads_keytab_verify_ticket:
> krb5_rd_req_return_keyblock_from_keytab(host/hostname at DOMAIN.WUSTL.EDU)
> failed: Wrong principal in request
>  [2009/10/12 09:43:53,  3]
> libads/kerberos_verify.c:266(ads_keytab_verify_ticket)
>   ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
> principals
> [2009/10/12 09:43:53,  3]
> libads/kerberos_verify.c:567(ads_verify_ticket)
>   ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
> request)
> [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:576(ads_verify_ticket)
>   ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE

i've found several informations about "wrong principal in request" errors 
pointing to a name resolution problem. Can you check dns, /etc/hosts ...?

> 
> I cut some of that out - it tried each name 6 times, hence the 12?
> Looking at the system keytab, and the computer account in AD, everything
> seems to match. FWIW, if I leave the domain and come back specifying the
> remaining 2003 server as the password server, this all looks the same
> and seems to work....
> 
> How much does capitalization matter? ADSIEDIT shows the
> ServicePrincipalNames as
> 
> HOST/hostname.domain.wustl.edu
> HOST/HOSTNAME
> 
> Where the keytab is:
> 
> host/hostname.domain.wustl.edu
> host/hostname
> 
> 
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Dirk Jakobsmeier
> Sent: Thursday, October 08, 2009 10:57 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
> 
> Hello Mark,
> 
> Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark:
> > Hello! I'm having an odd issue between Samba and Win2k8R2. We updated
> > one of our domain controllers to 2k8R2, and as such are working in a
> > 2003-level AD environment. If I force the 'password server' to the
> 
> 2003
> 
> > DC, then everything works fine, only working against the 2008 box has
> > issues.
> 
> we have several issues here depending on one of our servers (2008). E.g.
> 
> domainnames (username at domainname) has to be written in capital lettres
> when
> connecting to shares...
> 
> > \\128.252.123.123\sharename <file:///\\128.252.123.123\sharename>
> >
> > And it works as expected - my clients are in the same domain, no
> > password is asked for, etc.
> >
> > Using any form of the hostname in the URI, either \\hostname\sharename
> > <file:///\\hostname\sharename>  or \\hostname.domain.name\sharename
> > <file:///\\hostname.domain.name\sharename>  in the URI will
> 
> continually
> 
> > prompt for a password.  Using 'smbclient' with the names in the URI on
> > the Samba box itself works fine.
> >
> >
> > log level = 1
> 
> did you try to set this to a higher level (and restart samba)? I always
> use 99
> so i get large logfiles with nearly all informations i need. The
> clientlog
> (log.clienthostname or log.clientip) could be interresting.
> 

-- 

Mit freundlichem Gruß

Dirk Jakobsmeier / Systembetreuung
__________________________________________________________________________________________________________________
WIGE Konstruktionen GmbH & Co. KG
Sitz Ravensburg
Amtsgericht Ravensburg HRA Nr. 1493
Schwanenstrasse 4, 88214 Ravensburg
Tel: 0751 / 36609 - 29
Fax: 0751 / 36609 - 66

Persönlich haftende Gesellschafterin:
WIGE Konstruktionen Verwaltungsgesellschaft mbH
Amtsgericht Ravensburg HRB Nr. 2534
Geschäftsführer: Eduard, Thomas & Jochen Geschwentner

Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen 
enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail 
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und 
löschen Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe 
dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately  and delete this e-mail. Any unauthorized 
copying, disclosure or distribution of contents of this e-mail is strictly 
forbidden.