[Samba] Cannot authenticate the administrator account

Mike 1100100 at gmail.com
Wed Apr 29 14:39:50 MDT 2015


I definitely don't want to vex you.  You've been very generous with your
If I can't get it right using Andrey's provisioning example, I'll reach out
for some commercial samba support.

Best regards,


On Wed, Apr 29, 2015 at 4:24 PM, Rowland Penny <rowlandpenny at googlemail.com>

> On 29/04/15 20:37, Sketch wrote:
>> On Wed, 29 Apr 2015, Andrey Repin wrote:
>>  Greetings, Sketch!
>>>  workgroup = INTERNAL
>>>>> realm = EXAMPLE.COM
>>>>> netbios name = SAMBA
>>>  Looks that way to me.  Your realm should include the workgroup name:
>>> Nothing is "SHOULD" as long as the settings follow basic requirements
>>> (single-label NETBIOS domain name, resolvable REALM name).
>>> I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>"
>>> All works fine, given correct DNS configuration.
>> Netbios name is basically irrelevant here.  Do you mean that the realm
>> name does not have to match the workgroup name?
> I don't know how I can say this plainer, the only thing that has to match
> is the realm name and the dns domain name, if your dns domain name is '
> internal.example.com' then your kerberos realm must be '
> The netbios domain name (also known as workgroup name), can be *anything*
> you like, but it is usually the lefthand hand part of the dns domain name,
> 'INTERNAL' from the given example, but you could use 'BUTTERCUP' or 'MOON'
> or *ANYTHING* else, just as long as it is a single word, of not more than
> 15 characters.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list