Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!
Hi, the Failed to join domain: Type or value exists is caused, when the machine_name is equal to the fqdn. This is the case, e.g. if the /etc/hosts file contains only the short name. The server reports the error and net aborts although the join itself was successfull. There are serveral issues with the hostname vs. domainname thing under linux. E.g. the missing driver listings when using the fqdn accessing the samba server. I've added a getdomainname() call in the get_mydnsfullname() function in lib/util.c if the gethostname() call does not contain a .. Then the comparison in is_myname() succeeds and the drivers are listed. But the manpage says, getdomainname() is *not* POSIX. So this all might end in a configuration issue of the hostname. Regards, ~ Martin Hansjörg Maurer schrieb: Hi we see the similar messages too. Gerald (Jerry) Carter wrote: m.bland wrote: thor:/var/log/samba# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN Are these really the same value ? do they have to? When I try to set them to the same value I get the following message when joining the domain. [EMAIL PROTECTED] root]# net ads join -U Admin Admin's password: The workgroup in /etc/samba/smb.conf does not match the short domain name obtained from the server. Using the name [DOMNAME] from the server. You should set workgroup = DOMNAME in /etc/samba/smb.conf. Using short domain name -- DOMNAME Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'RMVBS02' in realm 'REALM' Failed to join domain: Type or value exists But we have a DNS not matching the REALM. Could this lead to this problem? (the above join only works with net rpc join, even while User Admin has full rights on the domain) Greetings hansjörg ... thor:/var/log/samba# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.NAME cheers, jerry -- Martin Zielinski [EMAIL PROTECTED] Software Development SEH Computertechnik GmbH www.seh.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!
Hi we see the similar messages too. Gerald (Jerry) Carter wrote: m.bland wrote: thor:/var/log/samba# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN Are these really the same value ? do they have to? When I try to set them to the same value I get the following message when joining the domain. [EMAIL PROTECTED] root]# net ads join -U Admin Admin's password: The workgroup in /etc/samba/smb.conf does not match the short domain name obtained from the server. Using the name [DOMNAME] from the server. You should set workgroup = DOMNAME in /etc/samba/smb.conf. Using short domain name -- DOMNAME Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'RMVBS02' in realm 'REALM' Failed to join domain: Type or value exists But we have a DNS not matching the REALM. Could this lead to this problem? (the above join only works with net rpc join, even while User Admin has full rights on the domain) Greetings hansjörg ... thor:/var/log/samba# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.NAME cheers, jerry -- _ Deutsches Zentrum fuer Luft- und Raumfahrt e.V. in der Helmholtz-Gemeinschaft Institut fuer Robotik und Mechatronik Dr. Hansjörg Maurer LAN- und Systemmanager Münchner Strasse 20 82234 Wessling Germany Telefon: 08153/28-2431 Telefax: 08153/28-1134 E-Mail: [EMAIL PROTECTED] Internet: http://www.robotic.dlr.de/ __ There are 10 types of people in this world, those who understand binary and those who don't. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket! When clients use netbios names only!
Hi, I have set up our samba box in 'ADS' mode; the problem I have is clients connecting to the server can not do so by using its netbios name. Only when they use the IP address of the machine are they able to be authenticated and browse the box. When clients connect via the netbios name this message will appear in my samba logs with the IP of the connecting client; smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! Additionally, If a client connects successfully via the IP of the samba server, the log file is named in the clients netbios name rather than their IP. eg machinenetbiosname.log will contain [2007/04/04 15:13:00, 1] smbd/service.c:make_connection_snum(642) netbiosnameofmachine (192.168.16.203) signed connect to service data initially as user DOMAIN+gorby (uid=10002, gid=10004) (pid 4329) Can some one tell me what's happening here? ;) thor:/var/log/samba# cat /etc/samba/smb.conf [global] winbind use default domain = yes winbind separator = + client use spnego = yes use spnego = yes server signing = auto client signing = auto netbios name = THOR idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash workgroup = DOMAIN server string = Thor security = ads hosts allow = 192.168.16. load printers = no cups options = raw log file = /var/log/samba/%m.log max log size = 50 password server = SERVER01 encrypt passwords = yes realm = DOMAIN passdb backend = tdbsam local master = no domain master = no wins support = no wins server = 192.168.16.3 dns proxy = no hostname lookups = yes name resolve order = lmhosts host wins dns bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [data] comment = path = /data Valid Users = +DOMAIN+domain users writeable = yes browseable = yes [ftp] comment = FTP area path = /data/ftp Valid Users = +DOMAIN+domain users writeable = yes browseable = yes thor:/var/log/samba# wbinfo -u works! wbinfo -g works passwd: files winbind shadow: files winbind group: files winbind #hosts: db files nisplus nis dns hosts: files winbind # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files winbind rpc:files services: files winbind netgroup: files winbind publickey: nisplus automount: files winbind aliases:files nisplus cat /etc/resolv.conf search DOMAIN.NAME nameserver 192.168.16.3 (also the PDC) thor:/var/log/samba# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost 192.168.16.4thor.DOMAIN.NAME thor 192.168.16.3server01.DOMAIN.NAME server01 thor:/var/log/samba# kinit administrator@ mailto:[EMAIL PROTECTED] DOMAIN.NAME mailto:[EMAIL PROTECTED]'s administrator@ mailto:[EMAIL PROTECTED] DOMAIN.NAME mailto:[EMAIL PROTECTED]'s 's Password: kinit: NOTICE: ticket renewable lifetime is 1 week thor:/var/log/samba# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NAME dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes krb4_get_tickets = false [realms] DOMAIN.NAME = { kdc = server01:88 } [domain_realm] .server01 = DOMAIN.NAME server01 = DOMAIN.NAME [kdc] profile = /var/lib/heimdal-kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 m.bland wrote: thor:/var/log/samba# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN Are these really the same value ? ... thor:/var/log/samba# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.NAME cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGE8GbIR7qMdg1EfYRAuqRAKCQXy8POjaFF9IyvZjpInVG08j2vwCgyYEF wR6kgQb/nFF7t3DppDHWyVQ= =ye1d -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba