Bug 2101 - Rejoin ADS using the same account. Access share via IP - OK, access share via hostname - ERROR
Rejoin ADS using the same account. Access share via IP - OK, access share via...
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
3.0.9
x86 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-29 18:20 UTC by juer
Modified: 2006-04-20 09:45 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description juer 2004-11-29 18:20:15 UTC
I have experienced an issue since Samba 3.0.2.

My current system is Samba 3.0.9 + Kerberos 1.3.5 + Fedora Core 3 system.
Steps to reproduce the issue:
1. The server join a Win2k AD, the share can be accessed via hostname or IP 
address without any problems from a Win2k client which is in the domain ( no 
username & password are required )
2. The server leaves ADS ( I called 'net ads leave' without any errors )
3. Rejoin the same Win2k AD
4. When I try to access the same share via the hostname from the same Win2k 
client, the username and password are required, though it won't work even I 
input correct password
5. The share can still be accessed via IP address without any problems ( no 
username & password are required )
6. Log off the Win2k client, then log in again, the share can be accessed via 
hostname without any problems again

I checked the logs, see some errors like "Failed to verify incoming ticket" too.

The point is the different behaviour on the 1st join and 2nd join.
Comment 1 Matthew A. R. Sherian 2004-12-02 13:13:28 UTC
I have found if you keep all things equal and switch to Domain from ADS it works
OK, doesn't fix the problem, but it helps.
Comment 2 Gerald (Jerry) Carter 2005-02-17 08:49:50 UTC
sounds more like the client's kerberos ticket cache has to 
be cleared out by the lougout/logon process.  I don't think 
this is our bug.  I don't really see why you one would want 
to do this.

But if you can perform the same sequence of steps using a 
Windows 2000 host as the domain member server and still 
access that host from a 2k client after rejoining it to 
the domain without having to logout and back on, please reopen this bug.
Comment 3 juer 2005-02-20 18:08:38 UTC
This issue is not seen in the WIN2K environment. I tried to access a WIN2K host 
in a WIN2K domain from another WIN2K client. No need to logout and re-login if 
that WIN2K hosts disjoins and rejoin the domain
Comment 4 Levente Farkas 2005-09-28 02:58:56 UTC
after we leave and rejoin or samba server from an ads the same happend. "Failed
to verify incoming ticket":-( the only solution was to remove all
servicePrincipalName attribute from the ADS for the samba server under
Computers. this happends RHEL4's samba-3.0.14a-2. the strance thing is win2k can
connect to the server but win xp can not.
Comment 5 Gerald (Jerry) Carter 2006-04-20 09:45:28 UTC
Please retest against a current version of Samba.  Thanks.