smbclient -k //debian5/sharedir can not work with a trusted domain user
jinyunshuai
jinyunshuai at 126.com
Tue Jun 21 20:21:44 MDT 2011
Thanks very much for reply !
according to Andrew Bartlett's reply
I additionally add 'client use spengo principal=true' (I original have set 'realm = SAMBA1.TEST') in smb.conf file
it can work well.
Thanks again!
At 2011-06-22 06:48:26,"Andrew Bartlett" <abartlet at samba.org> wrote:
>On Tue, 2011-06-21 at 22:40 +0800, jinyunshuai wrote:
>> Hi ,
>>
>> I have a problem:
>> I have two domains which trusted each other(samba1.test, samba2.test)
>> 1) the samba server(host name is debian5) joined to samba1, and login with samba2's user.
>> successful
>> 2)run "smbclient -k //debian5/sharedir " , it is failed and get follows error message:
>> ads_krb5_mk_req: smb_krb5_get_credentials failed forcifs/debian5 at SAMBA2.TEST (Server not found in Kerberos database)
>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in Kerberos database
>> session setup failed: SUCCESS - 0
>> I have tested on samba-3.5.8 with above steps, that did not have this issue.
>> is it an intentional change? or new bug?
>
>The change here was intentional, but we certainly did not fully
>anticipate the variety of different Kerberos configurations that Samba
>would be deployed into. It was not our intention to break working
>setups with a 3.5 change.
>
>In your situation, we need to give Samba and Kerberos a clue as to what
>host is in what realm.
>
>There are three ways that the 3.5.9 codebase will use to determine this:
> - use a fully qualified name (where the DNS domain matches the realm,
>either directly or via the krb5.conf mapping)
> - set 'realm' in your smb.conf
> - set 'client use spnego principal = true' to again trust the clue from
>the remote host.
>
>Any of these should fix the issue for you.
>
>We do apologise for the inconvenience,
>
>Andrew Bartlett
>--
>Andrew Bartlett http://samba.org/~abartlet/
>Authentication Developer, Samba Team http://samba.org
>
>
More information about the samba-technical
mailing list