[Samba] resolve KDC network address error

Daniel Mueller da_mueller at gmx.net
Mon Jun 7 02:31:11 MDT 2010

Hello Samba-List-Users

I have a problem with KDC network name resolution. I tried to google it 
and sought help on IRC#samba, to no avail. So I'll post my problem here.

In the spirit of privacy and normalization all server names in this post 
are replaced. CAPTIAL server names are actually capitalized in the 
configuration files.

1x Debian5 x64 server running samba 3.2.5
2x Windows Server 2008R2 domain controllers (Active Directory running in 
native mode)
some Windows7 Clients

here are my configuration files:

smb.conf (global section)
# Global parameters
netbios name = SAMBASERVER01
workgroup = DOMAIN
preferred master = no
server string = Productive Datastore
interfaces = eth0
map to guest = bad user
security = ADS
encrypt passwords = yes
log level = 2
syslog = 2
winbind separator = +
printcap name = /etc/printcap
printing =
load printers = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
usershare allow guests = no
hide files = /$RECYCLE.BIN/desktop.ini/
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
#full_audit:facility = LOCAL7
full_audit:priority = NOTICE

         default_realm = DOMAIN.LOCAL

         DOMAIN.LOCAL = {
                 # dc01 is FSMO server
                 kdc = dc01.domain.local
                 kdc = dc02.domain.local
                 admin_server = dc01.megasol.local
                 default_domain = domain.local

         .domain.local = DOMAIN.LOCAL
         domain.local = DOMAIN.LOCAL

the domain join ran without errors:

SAMBASERVER01:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMAIN
Joined 'SAMBASERVER01' to realm 'domain.local'

kinit is contempt, too:

SAMBASERVER01:~# kinit -V Administrator
Password for Administrator at DOMAIN.LOCAL:
Authenticated to Kerberos v5

I logged into DC01 using the domain administrator account:
I can connect to the samba server; no problems.

I logged into a windows7 client using a domain user:
I can connect to the samba server; no problems.

I logged into a windows7 client user local admin (no domain login):
I can't connect to the samba server

I use smbclient on SAMBASERVER01:
SAMBASERVER01:~# smbclient //SAMBASERVER01/SHARE -U Administrator
Enter Administrator's password:
session setup failed: NT code 0x00000721

I use smbclient on SAMBASERVER01 again:
SAMBASERVER01:~# smbclient //SAMBASERVER01/IT -U Administrator
Enter Administrator password:
session setup failed: NT_STATUS_PIPE_DISCONNECTED

I use smbclient using Kerberos authentication:
SAMBASERVER01:~# smbclient //SAMBASERVER01/IT -k
OS=[Unix] Server=[Samba 3.2.5]
smb: \>
that works!

the smbd and nmbd logs are clean
but it seems that winbind ist struggling:

[2010/06/07 10:17:59,  2] 
   Doing kerberos session setup
[2010/06/07 10:17:59,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
   ads_krb5_mk_req: krb5_get_credentials failed for DC01$@DOMAIN (Cannot 
resolve network address for KDC in requested realm)
[2010/06/07 10:17:59,  1] 
   cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot 
resolve network address for KDC in requested realm
[2010/06/07 10:17:59,  1] winbindd/winbindd_util.c:trustdom_recv(260)
   Could not receive trustdoms

I'm at a loss here... can anyone help? Or point me into the right direction?



More information about the samba mailing list