2101 – Rejoin ADS using the same account. Access share via IP - OK, access share via hostname - ERROR

Bug 2101 - Rejoin ADS using the same account. Access share via IP - OK, access share via hostname - ERROR

Summary: Rejoin ADS using the same account. Access share via IP - OK, access share via...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	Domain Control (show other bugs)
Version:	3.0.9
Hardware:	x86 Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-11-29 18:20 UTC by juer
Modified:	2006-04-20 09:45 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description juer 2004-11-29 18:20:15 UTC

I have experienced an issue since Samba 3.0.2.

My current system is Samba 3.0.9 + Kerberos 1.3.5 + Fedora Core 3 system.
Steps to reproduce the issue:
1. The server join a Win2k AD, the share can be accessed via hostname or IP 
address without any problems from a Win2k client which is in the domain ( no 
username & password are required )
2. The server leaves ADS ( I called 'net ads leave' without any errors )
3. Rejoin the same Win2k AD
4. When I try to access the same share via the hostname from the same Win2k 
client, the username and password are required, though it won't work even I 
input correct password
5. The share can still be accessed via IP address without any problems ( no 
username & password are required )
6. Log off the Win2k client, then log in again, the share can be accessed via 
hostname without any problems again

I checked the logs, see some errors like "Failed to verify incoming ticket" too.

The point is the different behaviour on the 1st join and 2nd join.

Comment 1 Matthew A. R. Sherian 2004-12-02 13:13:28 UTC

I have found if you keep all things equal and switch to Domain from ADS it works
OK, doesn't fix the problem, but it helps.

Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-02-17 08:49:50 UTC

sounds more like the client's kerberos ticket cache has to 
be cleared out by the lougout/logon process.  I don't think 
this is our bug.  I don't really see why you one would want 
to do this.

But if you can perform the same sequence of steps using a 
Windows 2000 host as the domain member server and still 
access that host from a 2k client after rejoining it to 
the domain without having to logout and back on, please reopen this bug.

Comment 3 juer 2005-02-20 18:08:38 UTC

This issue is not seen in the WIN2K environment. I tried to access a WIN2K host 
in a WIN2K domain from another WIN2K client. No need to logout and re-login if 
that WIN2K hosts disjoins and rejoin the domain

Comment 4 Levente Farkas 2005-09-28 02:58:56 UTC

after we leave and rejoin or samba server from an ads the same happend. "Failed
to verify incoming ticket":-( the only solution was to remove all
servicePrincipalName attribute from the ADS for the samba server under
Computers. this happends RHEL4's samba-3.0.14a-2. the strance thing is win2k can
connect to the server but win xp can not.

Comment 5 Gerald (Jerry) Carter (dead mail address) 2006-04-20 09:45:28 UTC

Please retest against a current version of Samba.  Thanks.