subject:"\[Samba\] Failed to verify incoming ticket\! When clients use netbios names only\!"

Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!

2007-04-16 Thread Martin Zielinski


Hi,

the Failed to join domain: Type or value exists is caused, when the 
machine_name is equal to the fqdn.


This is the case, e.g. if the /etc/hosts file contains only the short 
name. The server reports the error and net aborts although the join 
itself was successfull.


There are serveral issues with the hostname vs. domainname thing under 
linux.
E.g. the missing driver listings when using the fqdn accessing the samba 
server.
I've added a getdomainname() call in the get_mydnsfullname() function in 
 lib/util.c if the gethostname() call does not contain a ..

Then the comparison in is_myname() succeeds and the drivers are listed.

But the manpage says, getdomainname() is *not* POSIX. So this all might 
end in a configuration issue of the hostname.


Regards,

~ Martin


Hansjörg Maurer schrieb:

Hi

we see the similar messages too.

Gerald (Jerry) Carter wrote:

m.bland wrote:


thor:/var/log/samba# cat /etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN

Are these really the same value ?

do they have to?
When I try to set them to the same value I get the following message
when joining the domain.

[EMAIL PROTECTED] root]# net ads join  -U Admin
Admin's password:
The workgroup in /etc/samba/smb.conf does not match the short
domain name obtained from the server.
Using the name [DOMNAME] from the server.
You should set workgroup = DOMNAME in /etc/samba/smb.conf.
Using short domain name -- DOMNAME
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for 'RMVBS02' in realm 'REALM'
Failed to join domain: Type or value exists


But we have a DNS not matching the REALM.

Could this lead to this problem?

(the above join only works with net rpc join, even while User Admin has
full rights on the domain)

Greetings

hansjörg


...


thor:/var/log/samba# cat /etc/krb5.conf
[libdefaults]
 default_realm = DOMAIN.NAME






cheers, jerry




--
Martin Zielinski [EMAIL PROTECTED]
Software Development
SEH Computertechnik GmbH www.seh.de

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!

2007-04-05 Thread Hansjörg Maurer

Hi

we see the similar messages too.

Gerald (Jerry) Carter wrote:
 m.bland wrote:

  thor:/var/log/samba# cat /etc/samba/smb.conf
  [global]

  workgroup = DOMAIN
  realm = DOMAIN

 Are these really the same value ?
do they have to?
When I try to set them to the same value I get the following message
when joining the domain.

[EMAIL PROTECTED] root]# net ads join  -U Admin
Admin's password:
The workgroup in /etc/samba/smb.conf does not match the short
domain name obtained from the server.
Using the name [DOMNAME] from the server.
You should set workgroup = DOMNAME in /etc/samba/smb.conf.
Using short domain name -- DOMNAME
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for 'RMVBS02' in realm 'REALM'
Failed to join domain: Type or value exists


But we have a DNS not matching the REALM.

Could this lead to this problem?

(the above join only works with net rpc join, even while User Admin has
full rights on the domain)

Greetings

hansjörg


 ...

  thor:/var/log/samba# cat /etc/krb5.conf
  [libdefaults]
   default_realm = DOMAIN.NAME






 cheers, jerry

-- 
_

Deutsches Zentrum fuer Luft- und Raumfahrt e.V.
in der Helmholtz-Gemeinschaft

Institut fuer Robotik und Mechatronik

Dr. Hansjörg Maurer

LAN- und Systemmanager

Münchner Strasse 20
82234 Wessling
Germany

Telefon: 08153/28-2431
Telefax: 08153/28-1134

E-Mail: [EMAIL PROTECTED]
Internet: http://www.robotic.dlr.de/

__


There are 10 types of people in this world,
those who understand binary and those who don't.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Failed to verify incoming ticket! When clients use netbios names only!

2007-04-04 Thread m.bland

Hi,
I have set up our samba box in 'ADS' mode; the problem I have is clients
connecting to the server can not do so by using its netbios name. Only when
they use the IP address of the machine are they able to be authenticated and
browse the box.
When clients connect via the netbios name this message will appear in my
samba logs with the IP of the connecting client;

smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming
ticket!
 
Additionally, If a client connects successfully via the IP of the samba
server, the log file is named in the clients netbios name rather than their
IP.
eg machinenetbiosname.log will contain
[2007/04/04 15:13:00, 1] smbd/service.c:make_connection_snum(642)
  netbiosnameofmachine (192.168.16.203) signed connect to service data
initially as user DOMAIN+gorby (uid=10002, gid=10004) (pid 4329)
 
Can some one tell me what's happening here? ;)
 
thor:/var/log/samba# cat /etc/samba/smb.conf
[global]
winbind use default domain = yes
winbind separator = +
client use spnego = yes
use spnego = yes
server signing = auto
client signing = auto
netbios name = THOR
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
workgroup = DOMAIN
server string = Thor
security = ads
hosts allow = 192.168.16.
load printers = no
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = SERVER01
encrypt passwords = yes
realm = DOMAIN
passdb backend = tdbsam
local master = no
domain master = no
wins support = no
wins server = 192.168.16.3
dns proxy = no
hostname lookups = yes
name resolve order = lmhosts host wins dns bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 
[data]
comment = 
path = /data
Valid Users = +DOMAIN+domain users
writeable = yes
browseable = yes
 
[ftp]
comment = FTP area
path = /data/ftp
Valid Users = +DOMAIN+domain users
writeable = yes
browseable = yes
thor:/var/log/samba#
 
wbinfo -u works!
wbinfo -g works
 
passwd: files winbind
shadow: files winbind
group:  files winbind
 
#hosts: db files nisplus nis dns
hosts:  files winbind
 
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
 
bootparams: nisplus [NOTFOUND=return] files
 
ethers: files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:files
services:   files winbind
 
netgroup:   files winbind
 
publickey:  nisplus
 
automount:  files winbind
aliases:files nisplus

cat /etc/resolv.conf

search DOMAIN.NAME
nameserver 192.168.16.3 (also the PDC)

thor:/var/log/samba# cat /etc/hosts
127.0.0.1   localhost.localdomain   localhost
192.168.16.4thor.DOMAIN.NAME  thor
192.168.16.3server01.DOMAIN.NAME  server01

thor:/var/log/samba# kinit administrator@ mailto:[EMAIL PROTECTED]
DOMAIN.NAME
 mailto:[EMAIL PROTECTED]'s administrator@
mailto:[EMAIL PROTECTED] DOMAIN.NAME
mailto:[EMAIL PROTECTED]'s 's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
 
thor:/var/log/samba# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = DOMAIN.NAME
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 krb4_get_tickets = false
[realms]
 DOMAIN.NAME = {
  kdc = server01:88
 }
 
[domain_realm]
 .server01 = DOMAIN.NAME
 server01 = DOMAIN.NAME
 
[kdc]
 profile = /var/lib/heimdal-kdc/kdc.conf
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!

2007-04-04 Thread Gerald (Jerry) Carter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

m.bland wrote:

 thor:/var/log/samba# cat /etc/samba/smb.conf
 [global]

 workgroup = DOMAIN
 realm = DOMAIN

Are these really the same value ?

...

 thor:/var/log/samba# cat /etc/krb5.conf
 [libdefaults]
  default_realm = DOMAIN.NAME






cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8GbIR7qMdg1EfYRAuqRAKCQXy8POjaFF9IyvZjpInVG08j2vwCgyYEF
wR6kgQb/nFF7t3DppDHWyVQ=
=ye1d
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!

Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!

[Samba] Failed to verify incoming ticket! When clients use netbios names only!

Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!

4 matches

Site Navigation

Mail list logo

Footer information