[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

Jonathan Petersson jpetersson at garnser.se
Wed Sep 23 12:04:00 MDT 2009 

Hi all,

I've been working on getting Samba to authenticate via ADS for the
past few weeks with some lack of success. I had somewhat of a
breakthrough the other day realizing that the problem was related to
the kerberos authentication between Samba and the Win 2008 R2 AD
server. Trying to fix this I generated a keytab with ktpass which I
uploaded to the server.

I've been successful to join the server in the domain, wbinfo and
kinit responds as one wants it to but when upon samba and winbind
starting I'm seeing the following in the logs which I'm guessing is
the cause for me being unable to authenticate any users:

log.wb-PRESIDIO
  ads_krb5_mk_req: krb5_get_credentials failed for pdc$@PRESIDIO
(Cannot find KDC for requested realm)
[2009/09/23 10:54:31,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
find KDC for requested realm
[2009/09/23 10:54:31,  0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(494)
  cli_pipe_verify_schannel: auth_len 56.

log.winbindd
[2009/09/23 10:54:30,  0]
winbindd/winbindd_cache.c:initialize_winbindd_cache(2577)
  initialize_winbindd_cache: clearing cache and re-creating with
version number 1
[2009/09/23 10:54:31,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
  ads_krb5_mk_req: krb5_get_credentials failed for pdc$@PRESIDIO
(Cannot find KDC for requested realm)
[2009/09/23 10:54:31,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
find KDC for requested realm
[2009/09/23 10:54:31,  1] winbindd/winbindd_util.c:trustdom_recv(303)
  Could not receive trustdoms

As it seams the server tries to authenticate as pdc$ rather than
presidio3$ which is the hostname of the server and the name it's
registered as. What could the cause of this be?

smb.conf:
   workgroup = PRESIDIO
   password server = pdc.domain.com
   realm = DOMAIN.COM
   security = ads
   idmap uid = 8000-33554431
   idmap gid = 8000-33554431
   winbind separator = +
   template shell = /bin/bash
   winbind use default domain = yes
   winbind offline logon = false
...
	server string = presidio3
	
	netbios name = presidio3

Please advice.

Thanks

/Jonathan

More information about the samba mailing list