[Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
Bober, Mark
mark at seas.wustl.edu
Tue Oct 13 12:46:48 MDT 2009
DNS, /etc/hosts, all that is correct, on the Samba box, the client, and the 2008 AD server.
It still works perfectly if you use \\128.252.x.x in the URI instead of the name.
What is the functional difference between accessing a URI via IP rather than the hostname or FQDN?
Mark
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Dirk Jakobsmeier
Sent: Tuesday, October 13, 2009 12:04 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
Hello Mark,
Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark:
> Here's some things from log level 99:
>
> [2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn)
> name_to_fqdn: lookup for HOSTNAME -> hostname.domain.wustl.edu.
> [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
> ads_keytab_verify_ticket:
> krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl.edu at D
> OMAIN.WUSTL.EDU) failed: Wrong principal in request
> [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
> ads_keytab_verify_ticket:
> krb5_rd_req_return_keyblock_from_keytab(host/hostname at DOMAIN.WUSTL.EDU)
> failed: Wrong principal in request
> [2009/10/12 09:43:53, 3]
> libads/kerberos_verify.c:266(ads_keytab_verify_ticket)
> ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
> principals
> [2009/10/12 09:43:53, 3]
> libads/kerberos_verify.c:567(ads_verify_ticket)
> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
> request)
> [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:576(ads_verify_ticket)
> ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
i've found several informations about "wrong principal in request" errors
pointing to a name resolution problem. Can you check dns, /etc/hosts ...?
>
> I cut some of that out - it tried each name 6 times, hence the 12?
> Looking at the system keytab, and the computer account in AD, everything
> seems to match. FWIW, if I leave the domain and come back specifying the
> remaining 2003 server as the password server, this all looks the same
> and seems to work....
>
> How much does capitalization matter? ADSIEDIT shows the
> ServicePrincipalNames as
>
> HOST/hostname.domain.wustl.edu
> HOST/HOSTNAME
>
> Where the keytab is:
>
> host/hostname.domain.wustl.edu
> host/hostname
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Dirk Jakobsmeier
> Sent: Thursday, October 08, 2009 10:57 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
>
> Hello Mark,
>
> Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark:
> > Hello! I'm having an odd issue between Samba and Win2k8R2. We updated
> > one of our domain controllers to 2k8R2, and as such are working in a
> > 2003-level AD environment. If I force the 'password server' to the
>
> 2003
>
> > DC, then everything works fine, only working against the 2008 box has
> > issues.
>
> we have several issues here depending on one of our servers (2008). E.g.
>
> domainnames (username at domainname) has to be written in capital lettres
> when
> connecting to shares...
>
> > \\128.252.123.123\sharename <file:///\\128.252.123.123\sharename>
> >
> > And it works as expected - my clients are in the same domain, no
> > password is asked for, etc.
> >
> > Using any form of the hostname in the URI, either \\hostname\sharename
> > <file:///\\hostname\sharename> or \\hostname.domain.name\sharename
> > <file:///\\hostname.domain.name\sharename> in the URI will
>
> continually
>
> > prompt for a password. Using 'smbclient' with the names in the URI on
> > the Samba box itself works fine.
> >
> >
> > log level = 1
>
> did you try to set this to a higher level (and restart samba)? I always
> use 99
> so i get large logfiles with nearly all informations i need. The
> clientlog
> (log.clienthostname or log.clientip) could be interresting.
>
--
Mit freundlichem Gruß
Dirk Jakobsmeier / Systembetreuung
__________________________________________________________________________________________________________________
WIGE Konstruktionen GmbH & Co. KG
Sitz Ravensburg
Amtsgericht Ravensburg HRA Nr. 1493
Schwanenstrasse 4, 88214 Ravensburg
Tel: 0751 / 36609 - 29
Fax: 0751 / 36609 - 66
Persönlich haftende Gesellschafterin:
WIGE Konstruktionen Verwaltungsgesellschaft mbH
Amtsgericht Ravensburg HRB Nr. 2534
Geschäftsführer: Eduard, Thomas & Jochen Geschwentner
Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen
enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
löschen Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe
dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and delete this e-mail. Any unauthorized
copying, disclosure or distribution of contents of this e-mail is strictly
forbidden.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list