Richard Verdugo
2006-Feb-23 21:17 UTC
[Samba] Logon Failure: The target account name is incorrect
Hi, I'm using FC3 with samba 3.0 trying to be part of a Windows 2000 AD. When I try to access a samba share it gives me: Logon Failure: The target account name is incorrect The Active Directory domain for our small inhouse private network is MBB.COM, we have our own nameservers that list the samba server in our company domain, which is epublishers.com. So to reach the samba server we would go to sambaserver.epublishers.com for example. Does this look right, or is it possible that the 2 different domain names are somehow causing a conflict? thank you.
Todd Stecher
2006-Mar-01 22:09 UTC
[Samba] Logon Failure: The target account name is incorrect
On Thu, 2006-02-23 at 13:16 -0800, Richard Verdugo wrote:> Hi, > I'm using FC3 with samba 3.0 trying to be part of a Windows 2000 AD. > When I try to access a samba share it gives me: Logon Failure: The target > account name is incorrect >This error happens when the target server cannot decrypt the service ticket presented to it.> > The Active Directory domain for our small inhouse private network is > MBB.COM, we have our own nameservers that list the samba server in our > company domain, which is epublishers.com. So to reach the samba server we > would go to sambaserver.epublishers.com for example. > > Does this look right, or is it possible that the 2 different domain names > are somehow causing a conflict? >In most cases, this is because you have a server in the client's realm with a servicePrincipalName attribute (e.g. host/server) matching that of the "true" destination service in another realm. When the client asks for a service ticket to host/server, they end up with a service ticket to the service account in the client realm, not the remote realm. See the kerberos troubleshooting whitepaper at http://www.microsoft.com/kerberos for more details on this error, and how to remedy it. Generically speaking, this can be solved by either: 1) accessing the remote server by its FQDN (e.g. net use * \ \server.sambaserver.epublishers.com) (I'm assuming you're accessing the service via the NETBIOS name). 2) Checking for a matching service account in the client realm, and deleting it (or renaming it).> thank you.