Hello, This problem was also here on 3.0.6.I tried to update without success I started two weeks ago mounting a 3.0.6 samba box on a updated Redhat 9 distribution. All In the compile ( under 3.06 ) works fine. I used the --with-ads --with-ldap --with-acl.. --with-pam --with-winbind --with smbmount flags to compile. I follow the official guide for this purpose. The net ads join -U is ok. The net ads testjoin is OK. All the kerberos authentication is working ( i can login with AD authentications on my linux box through winbind. wbginfo -u and wbginfo -g return the good things. Same for getent. Same for kinit. My AD are W2000 servers SP3 machines The client is an w2000 PRo SP4 machine Using an IP address I can access the share with no futher login. But When I try using the server's name, It pops me the authentication request with an authentication error message. No way to pass !!! I tested all the syntaxes I thought about. I search in the log and I get 2 errors : In log.winbind : a krb5_cc_get_principals ( no cache found ) error once while starting In log.smbd : a spnego authentication failure each time i want to connect (written 3 times each time). I continued to search and I found that there is no principal listed while doing a "ktutil l". and while doing a net ads to list the trusted domains, I get a BUILTIN and <SRV-NAME> answer but nothing about the domain. I tried to make by hand the krb5.keytab to authenticate my machine but, even while using the new "use keytab" option in smb.conf winbind always "clean" the principals list. For that, I followed the microsoft howto about kerberos V5. I think that, for some reason, the net ads join do not get or can not use all the stuff from the AD ( such as machine authentication). I also read that using IP to access the share, you do not use the kerberos authentication but NTML ( such as a NT server member). I'm a little lost. Please help. The server is at my job. I can test everything you wanted me to do. I have the logs at work . I will post everything tomorrow. I wanted to demonstrate the utility of samba for file sharing but for the moment , I hide myself. :-)
more Info : The numeric way only works if I disable spnego using smb options. The warning while launching winbindd : [2004/09/16 07:13:23, 1] nsswitch/winbindd.c:main(854) winbindd version 3.0.7 started. Copyright The Samba Team 2000-2004 [2004/09/16 07:13:23, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) The errors During authentication : [2004/09/16 07:17:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/09/16 07:17:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/09/16 07:17:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/09/16 07:17:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! My smb.conf parameters # Samba config file created using SWAT # from 172.23.4.51 (172.23.4.51) # Date: 2004/08/27 14:23:03 # Global parameters [global] name resolve order = host wins bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #Active Directory Stuff realm = CG71.LOCAL security = ADS #krb5 Stuff password server = * encrypt passwords = yes #unix password sync = yes passwd program = /usr/bin/passwd %u #pam password change = yes #obey pam restrictions = yes #use kerberos keytab = yes # Server Role Stuff preferred master = No local master = No domain master = No dns proxy = No preserve case = no short preserve case = no default case = lower case sensitive = no allow trusted domains = yes # permissions handling inherit permissions = yes inherit acls = yes nt acl support = yes ea support = yes map acl inherit = yes store dos attributes = yes # wins Stuff netbios name = SRV-EDEN01 workgroup = CG71 wins server = <IP WINS> # winbind Stuff idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/win2k/%D/%U template shell = /bin/bash # others unix charset = ISO8859-15 [Donnees_Eden] comment = partage principal path = /mnt/Mes_Fichiers/partage vfs objects = audit recycle recycle:maxsize = 10000000 recycle:keeptree = yes read only = no guest ok = no My krb5.conf file : [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CG71.LOCAL default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc default_keytab_name = FILE:/etc/krb5.keytab [realms] CG71.LOCAL = { kdc = <name-of-AD-server>:88 admin_server = <name-of-AD-server>:749 default_domain = CG71.LOCAL } [domain_realms] .cg71.local = CG71.LOCAL cg71.local = CG71.LOCAL [kdc] profile=/var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } my pam samba file #%PAM-1.0 auth required /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so nullok shadow account required /lib/security/pam_winbind.so account required /lib/security/pam_pwdb.so session required pam_stack.so service=system-auth password required pam_stack.so service=system-auth my pam system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so auth sufficient /lib/security/$ISA/pam_krb5.so likeauth nillok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so my pam authconfig #%PAM-1.0 #auth sufficient /lib/security/$ISA/pam_rootok.so #auth required /lib/security/$ISA/pam_stack.so service=system-auth #account required /lib/security/$ISA/pam_permit.so #session required /lib/security/$ISA/pam_permit.so auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok account required /lib/security/pam_winbind.so my resolv.conf search cg71.local domain cg71.local nameserver <IP of nameserver 1> nameserver <IP of nameserver 2>
This Config works without pb using a win NT client with spnego.. So it's a problem of W2000 clients with samba. Probably not through samba and AD...
*** This bug has been marked as a duplicate of 1717 ***