Well, playing around with the SPNs didn't quite work out, but, compiling Kerberos 1.7 and recompiling Samba 3.4.2 against that *did* work. I'll do some further testing and then update the rest of my machines with the same build, so we can go fully 2008 on the AD side.
Thank you very much for the hint! For the record, the Kerberos I was on was CentOS 5.3's default 1.6.1-31.el5_3.3 RPM. Mark -----Original Message----- From: ravi channavajhala [mailto:ravi.channavajh...@dciera.com] Sent: Tuesday, October 13, 2009 2:44 PM To: Bober, Mark; samba@lists.samba.org Subject: RE: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 To my understanding, windows treat principal names as case insensitive. Kerberos treats them as case sensitive. MIT Kerberos version - 1.7 is supposed to have fixed this. The way to get around this is to add uppercase SPN names into the Kerberos keytab. Regards, /rkc -----Original Message----- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Bober, Mark Sent: Wednesday, October 14, 2009 12:17 AM To: samba@lists.samba.org Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 DNS, /etc/hosts, all that is correct, on the Samba box, the client, and the 2008 AD server. It still works perfectly if you use \\128.252.x.x in the URI instead of the name. What is the functional difference between accessing a URI via IP rather than the hostname or FQDN? Mark -----Original Message----- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Dirk Jakobsmeier Sent: Tuesday, October 13, 2009 12:04 AM To: samba@lists.samba.org Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 Hello Mark, Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark: > Here's some things from log level 99: > > [2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn) > name_to_fqdn: lookup for HOSTNAME -> hostname.domain.wustl.edu. > [2009/10/12 09:43:53, 10] > libads/kerberos_verify.c:220(ads_keytab_verify_ticket) > ads_keytab_verify_ticket: > krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl....@d > OMAIN.WUSTL.EDU) failed: Wrong principal in request > [2009/10/12 09:43:53, 10] > libads/kerberos_verify.c:220(ads_keytab_verify_ticket) > ads_keytab_verify_ticket: > krb5_rd_req_return_keyblock_from_keytab(host/hostn...@domain.wustl.edu) > failed: Wrong principal in request > [2009/10/12 09:43:53, 3] > libads/kerberos_verify.c:266(ads_keytab_verify_ticket) > ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab > principals > [2009/10/12 09:43:53, 3] > libads/kerberos_verify.c:567(ads_verify_ticket) > ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in > request) > [2009/10/12 09:43:53, 10] > libads/kerberos_verify.c:576(ads_verify_ticket) > ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE i've found several informations about "wrong principal in request" errors pointing to a name resolution problem. Can you check dns, /etc/hosts ...? > > I cut some of that out - it tried each name 6 times, hence the 12? > Looking at the system keytab, and the computer account in AD, everything > seems to match. FWIW, if I leave the domain and come back specifying the > remaining 2003 server as the password server, this all looks the same > and seems to work.... > > How much does capitalization matter? ADSIEDIT shows the > ServicePrincipalNames as > > HOST/hostname.domain.wustl.edu > HOST/HOSTNAME > > Where the keytab is: > > host/hostname.domain.wustl.edu > host/hostname > > > -----Original Message----- > From: samba-boun...@lists.samba.org > [mailto:samba-boun...@lists.samba.org] On Behalf Of Dirk Jakobsmeier > Sent: Thursday, October 08, 2009 10:57 PM > To: samba@lists.samba.org > Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 > > Hello Mark, > > Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark: > > Hello! I'm having an odd issue between Samba and Win2k8R2. We updated > > one of our domain controllers to 2k8R2, and as such are working in a > > 2003-level AD environment. If I force the 'password server' to the > > 2003 > > > DC, then everything works fine, only working against the 2008 box has > > issues. > > we have several issues here depending on one of our servers (2008). E.g. > > domainnames (usern...@domainname) has to be written in capital lettres > when > connecting to shares... > > > \\128.252.123.123\sharename <file:///\\128.252.123.123\sharename> > > > > And it works as expected - my clients are in the same domain, no > > password is asked for, etc. > > > > Using any form of the hostname in the URI, either \\hostname\sharename > > <file:///\\hostname\sharename> or \\hostname.domain.name\sharename > > <file:///\\hostname.domain.name\sharename> in the URI will > > continually > > > prompt for a password. Using 'smbclient' with the names in the URI on > > the Samba box itself works fine. > > > > > > log level = 1 > > did you try to set this to a higher level (and restart samba)? I always > use 99 > so i get large logfiles with nearly all informations i need. The > clientlog > (log.clienthostname or log.clientip) could be interresting. > -- Mit freundlichem Gruß Dirk Jakobsmeier / Systembetreuung ____________________________________________________________________________ ______________________________________ WIGE Konstruktionen GmbH & Co. KG Sitz Ravensburg Amtsgericht Ravensburg HRA Nr. 1493 Schwanenstrasse 4, 88214 Ravensburg Tel: 0751 / 36609 - 29 Fax: 0751 / 36609 - 66 Persönlich haftende Gesellschafterin: WIGE Konstruktionen Verwaltungsgesellschaft mbH Amtsgericht Ravensburg HRB Nr. 2534 Geschäftsführer: Eduard, Thomas & Jochen Geschwentner Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und löschen Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of contents of this e-mail is strictly forbidden. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba