Running Samba 3.2.3 on Debian Lenny, amd64. I'm joined to an AD realm, authentication works fine for Windows clients. I'm able to see that the clients are using Kerberos, not NTLM to authenticate to the shares. However when I look at the keytab, my entries have the short names like "service/shortname@REALM" instead of "service/fqdn@REALM". Looking at Windows servers on the same domain it seems to be a bit of a mix between fqdn and short names with the majority using short names. So the problem with that is when I try to use smbclient to connect, I get a "Server not found in Kerberos database" error because its looking for the cifs/fqdn@REALM, where it only exists in the form of cifs/shortname@REALM. I haven't found a way to force AD to give me the fqdn style SPNs. Any pointers? Thanks
This seems to be related to this entry on the list in 2004-2005. As far as I see, the issue was never fixed. This is a pretty big issue if it is indeed the same bug as it effectively stops *nix clients from using Kerberos authentication. http://lists.samba.org/archive/samba-technical/2005-April/040338.html I will try to work around using "setspn -A host/fqdn computer". Will "net ads keytab create" pull all the SPNs available for the client or is it set only do load the default ones? On Sat, Oct 4, 2008 at 11:36 AM, Ryan Bair <ryandbair@gmail.com> wrote:> Running Samba 3.2.3 on Debian Lenny, amd64. > > I'm joined to an AD realm, authentication works fine for Windows > clients. I'm able to see that the clients are using Kerberos, not NTLM > to authenticate to the shares. However when I look at the keytab, my > entries have the short names like "service/shortname@REALM" instead of > "service/fqdn@REALM". Looking at Windows servers on the same domain it > seems to be a bit of a mix between fqdn and short names with the > majority using short names. > > So the problem with that is when I try to use smbclient to connect, I > get a "Server not found in Kerberos database" error because its > looking for the cifs/fqdn@REALM, where it only exists in the form of > cifs/shortname@REALM. I haven't found a way to force AD to give me the > fqdn style SPNs. > > Any pointers? > Thanks >
Nope, it's got a real .com to it. The behavior was the hostname returned the hostname and hostname -f also returned just the shortname. If it had returned an error instead of just the hostname, I think it would have been ok from my quick view of the Samba source. On Tue, Oct 7, 2008 at 2:51 PM, James Zuelow <James_Zuelow@ci.juneau.ak.us> wrote:> This is just a guess: > > Does your domain end in .local? > > If so, avahi would hijack DNS lookups for anything like > domain_controller.company.local -- and since your DC probably doesn't > have Bonjour installed on it, it gets no answer and reports back with a > host not found. Unfortunately that's a valid DNS response, so your > system does not then fall back to regular DNS. > > James Zuelow....................CBJ MIS (907)586-0236 > Network Specialist...Registered Linux User No. 186591 > >> -----Original Message----- >> From: >> samba-bounces+james_zuelow=ci.juneau.ak.us@lists.samba.org >> [mailto:samba-bounces+james_zuelow=ci.juneau.ak.us@lists.samba > .org] On Behalf Of Ryan Bair >> Sent: Sunday, 05 October, 2008 10:44 >> To: Gerald (Jerry) Carter >> Cc: samba@lists.samba.org >> Subject: Re: [Samba] Re: smbclient kerberos issue >> >> >> It seems like it was a problem avahi which mistakenly made its way >> into my nsswitch.conf. After removing mdns4_minimal and mdns4, I >> rejoined to the domain and everything works great. I'm a bit confused >> as to how this caused the problem, but I'm very happy to have it >> fixed! >> >> Thanks >