samba - Nov 2008 - Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?

I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join 
to a Windows 2008 domain works perfectly, having pre-created the 
servername in the appropriate OU.

In my winbind logs, I see the following (domain name obfuscated):

[2008/11/05 11:28:06,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(839)
   got principal=not_defined_in_RFC4178@please_ignore

[2008/11/05 11:28:06,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(880)
   cli_session_setup_spnego: got a bad server principal, trying to guess 
...

[2008/11/05 11:28:06,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(908)
   cli_session_setup_spnego: guessed server principal=server$@FOO

[2008/11/05 11:28:06,  2] 
libsmb/cliconnect.c:cli_session_setup_kerberos(619)
   Doing kerberos session setup

[2008/11/05 11:28:06,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
   ads_krb5_mk_req: krb5_get_credentials failed for server$@FOO (Cannot 
resolve network address for KDC in requested realm)

[2008/11/05 11:28:06,  1] 
libsmb/cliconnect.c:cli_session_setup_kerberos(626)
   cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot 
resolve network address for KDC in requested realm

The realm is guessed wrongly - only the short name of the domain, rather 
than the fully qualified realm name, as specified in krb5.conf.

My AD full name is foo.bar.com, short name FOO. My question is - when 
guessing the principal for the target DC, why does Samba guess 'FOO', 
rather than 'FOO.BAR.COM'? I have a Linux machine joined to the same 
domain running 3.0.28 which correctly guesses the realm.

[2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(828)
   got principal=not_defined_in_RFC4178@please_ignore
[2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(880)
   cli_session_setup_spnego: got a bad server principal, trying to guess 
...
[2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(903)
   cli_session_setup_spnego: guessed server 
principal=server$@FOO.BAR.COM

Relevant pieces from smb.conf:

realm = FOO.BAR.COM
workgroup = FOO
winbind separator = +
winbind use default domain = yes
idmap backend = ad
winbind nss info = rfc2307
use kerberos keytab = yes
client lanman auth = no
client ntlmv2 auth = yes
idmap uid = 10000-15000
idmap gid = 5000-6000
winbind refresh tickets = yes


As far as I can tell, name resolution etc. is correct on both machines. 
Net ads status returns proper (fqdn) names, and klist -k shows fully 
qualified principals populated into the keytab file by net ads join. I 
should add that wbinfo -u returns the correct users, as does getent passwd 
(with uids, gids, etc. as expected). My concern is that because Kerberos 
negotiation is apprently failing, winbind is failing back to ntlm methods 
of authentication, which I'd rather avoid. If the error message I'm
seeing
is benign and I should ignore, let me know.

Cheers,
Paul

On Wed, 5 Nov 2008, Paul Sobey wrote:
> I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain
join to a
> Windows 2008 domain works perfectly, having pre-created the servername in
the
> appropriate OU.
>
> In my winbind logs, I see the following (domain name obfuscated):
> [2008/11/05 11:28:06,  2]
libsmb/cliconnect.c:cli_session_setup_kerberos(619)
>  Doing kerberos session setup
>
> [2008/11/05 11:28:06,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
>  ads_krb5_mk_req: krb5_get_credentials failed for server$@FOO (Cannot 
> resolve network address for KDC in requested realm)
>
> [2008/11/05 11:28:06,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(626)
>  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve
> network address for KDC in requested realm
>
> The realm is guessed wrongly - only the short name of the domain, rather
than
> the fully qualified realm name, as specified in krb5.conf.
>
> My AD full name is foo.bar.com, short name FOO. My question is - when 
> guessing the principal for the target DC, why does Samba guess
'FOO', rather
> than 'FOO.BAR.COM'? I have a Linux machine joined to the same
domain running
> 3.0.28 which correctly guesses the realm.
Not sure whether this helps diagnose, but I just upgraded my Linux desktop 
to Samba 3.2.4 and now get exactly the same error - winbind is refusing to 
authenticate me at all. In my pam.conf I have krb5_auth set to try and 
make winbind authenticate my via kerberos.

How can I troubleshoot this? It seems Samba 3.2.4 gets the Kerberos realm 
wrong when authenticating against Windows 2008. I thought it was a 
Solaris issue before but it seems to be OS independent. Is anybody else 
seeing it?

Cheers,
Paul