![](https://seccdn.libravatar.org/avatar/8b52a96c17a60eb8befeff5fbbe59cf4.jpg?s=120&d=mm&r=g)
I'm still fighting with this issue. The Windows server seems not to provide a clue. To recap: I have a SAMBA server on an openSUSE Tumbleweed machine. It has joined the corporate Windows AD. I want to authenticate users accessing SAMBA shares in this AD. I can join the corporate AD with kinit. I have the following: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: roropq@ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK Valid starting Expires Service principal 03/07/17 14:16:24 03/08/17 00:16:24 krbtgt/ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK@ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK renew until 03/08/17 14:16:20 # net ads info LDAP server: 10.2.5.22 LDAP server name: RAMSTODCZZ.ramboll.ramboll-group.global.network Realm: ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK Bind Path: dc=ZZZ,dc=RAMBOLL-GROUP,dc=GLOBAL,dc=NETWORK LDAP port: 389 Server time: Tue, 07 Mar 2017 14:30:05 CET KDC server: 10.2.5.22 Server time offset: 0 Last machine account password change: Thu, 02 Mar 2017 13:36:54 CET But I cannot a authenticate against SAMBA (with either smbclient on this or a remote machine, or from a Windows PC wanting to access the SAMBA shares). % smbclient -k -d 10 //ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK/roropq INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 Processing section "[global]" doing parameter workgroup = RAMBOLL doing parameter passdb backend = tdbsam doing parameter printing = cups doing parameter printcap name = cups doing parameter printcap cache time = 750 doing parameter cups options = raw doing parameter map to guest = Bad User doing parameter include = /etc/samba/dhcp.conf Can't find include file /etc/samba/dhcp.conf doing parameter logon path = \\%L\profiles\.msprofile doing parameter logon home = \\%L\%U\.9xprofile doing parameter logon drive = P: doing parameter winbind gid = 10000-20000 doing parameter winbind uid = 10000-20000 doing parameter winbind separator = / doing parameter winbind nested groups = yes doing parameter winbind enum groups = yes doing parameter winbind enum users = yes doing parameter winbind refresh tickets = yes doing parameter realm = ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK doing parameter security = ADS doing parameter template homedir = /home/%D/%U doing parameter template shell = /bin/bash doing parameter mangled names = no doing parameter usershare max shares = 100 doing parameter usershare allow guests = No doing parameter password server = ramstodcZZ.ramboll.ramboll-group.global.network doing parameter server max protocol = smb3 doing parameter log level = auth:10 doing parameter client use spnego = yes doing parameter client ntlmv2 auth = yes doing parameter encrypt passwords = yes doing parameter winbind use default domain = yes pm_process() returned Yes lp_servicenumber: couldn't find homes added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0 added interface enp4s0 ip=10.2.10.40 bcast=10.2.10.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="STO-OPQ-SRC" Client started (version 4.5.3-0-SUSE-oS13.3-x86_64). Opening cache file at /var/lib/samba/gencache.tdb Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb sitename_fetch: Returning sitename for realm 'ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK': "se-sto" internal_resolve_name: looking up ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK#20 (sitename se-sto) Adding cache entry with key=[NBT/ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK#20] and timeout=[Thu Jan 1 01:00:00 1970 CET] (-1488893169 seconds in the past) no entry for ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK#20 found. resolve_hosts: Attempting host lookup for name ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK<0x20> remove_duplicate_addrs2: looking for duplicate address/port pairs namecache_store: storing 25 addresses for ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK#20: 10.192.0.20,10.15.1.18,10.4.2.73,10.194.2.20,10.16.22.2,10.14.101.7,10.160.24.5,10.9.14.10,10.33.0.0,10.4.2.216,10.4.2.74,10.4.3.106,10.4.174.58,10.128.12.110,10.3.0.3,10.14.32.21,10.2.5.22,10.97.2.5,10.193.0.20,10.4.2.214,10.1.1.53,10.144.8.20,10.4.120.26,10.11.161.63,10.2.5.21 Adding cache entry with key=[NBT/RAMBOLL.RAMBOLL-GROUP.GLOBAL.NETWORK#20] and timeout=[Tue Mar 7 14:37:09 2017 CET] (660 seconds ahead) internal_resolve_name: returning 25 addresses: 10.192.0.20:0 10.15.1.18:0 10.4.2.73:0 10.194.2.20:0 10.16.22.2:0 10.14.101.7:0 10.160.24.5:0 10.9.14.10:0 10.33.0.0:0 10.4.2.216:0 10.4.2.74:0 10.4.3.106:0 10.4.174.58:0 10.128.12.110:0 10.3.0.3:0 10.14.32.21:0 10.2.5.22:0 10.97.2.5:0 10.193.0.20:0 10.4.2.214:0 10.1.1.53:0 10.144.8.20:0 10.4.120.26:0 10.11.161.63:0 10.2.5.21:0 Connecting to 10.192.0.20 at port 445 E2BIG: convert_string(UTF-8,CP850): srclen=37 destlen=16 - 'ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK' Connecting to 10.192.0.20 at port 139 Connecting to 10.15.1.18 at port 445 Connecting to 10.4.2.73 at port 445 Connecting to 10.194.2.20 at port 445 Connecting to 10.16.22.2 at port 445 Connecting to 10.14.101.7 at port 445 Connecting to 10.160.24.5 at port 445 Connecting to 10.9.14.10 at port 445 Connecting to 10.33.0.0 at port 445 Connecting to 10.4.2.216 at port 445 Connecting to 10.4.2.74 at port 445 Connecting to 10.4.3.106 at port 445 Connecting to 10.4.174.58 at port 445 Connecting to 10.128.12.110 at port 445 Connecting to 10.3.0.3 at port 445 Connecting to 10.14.32.21 at port 445 Connecting to 10.2.5.22 at port 445 Connecting to 10.97.2.5 at port 445 Connecting to 10.193.0.20 at port 445 Connecting to 10.4.2.214 at port 445 Connecting to 10.1.1.53 at port 445 Connecting to 10.144.8.20 at port 445 Connecting to 10.4.120.26 at port 445 Connecting to 10.11.161.63 at port 445 Connecting to 10.2.5.21 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 87040 SO_RCVBUF = 372480 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok Doing spnego session setup (blob length=120) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore cli_session_setup_spnego: using target hostname not SPNEGO principal kerberos_get_principal_from_service_hostname: cannot get realm from, desthost ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK or default ccache. Using default smb.conf realm ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK cli_session_setup_spnego: guessed server principal=cifs/ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK@ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 kerberos_get_principal_from_service_hostname: cannot get realm from, desthost ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK or default ccache. Using default smb.conf realm ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server not found in Kerberos database] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR SPNEGO login failed: An internal error occurred. session setup failed: NT_STATUS_INTERNAL_ERROR I would have thought the following would be the same as the command above (using the workgroup instead of the realm): % smbclient -k -d 10 //RAMBOLL/roropq Netbios name list:- my_netbios_names[0]="STO-OPQ-SRC" Client started (version 4.5.3-0-SUSE-oS13.3-x86_64). Opening cache file at /var/lib/samba/gencache.tdb Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb sitename_fetch: Returning sitename for realm 'RAMBOLL.RAMBOLL-GROUP.GLOBAL.NETWORK': "se-sto" internal_resolve_name: looking up RAMBOLL#20 (sitename se-sto) Adding cache entry with key=[NBT/RAMBOLL#20] and timeout=[Thu Jan 1 01:00:00 1970 CET] (-1488893852 seconds in the past) Could not get allrecord lock on gencache_notrans.tdb: Locking error no entry for RAMBOLL#20 found. resolve_lmhosts: Attempting lmhosts lookup for name RAMBOLL<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost getlmhostsent: lmhost entry: 10.160.24.5 RAMBOLL RAMBOLL.RAMBOLL-GROUP.GLOBAL.NETWORK getlmhostsent: group flag in lmhosts ignored (obsolete) resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name RAMBOLL<0x20> resolve_hosts: getaddrinfo failed for name RAMBOLL [Name or service not known] name_resolve_bcast: Attempting broadcast lookup for name RAMBOLL<0x20> Connection to RAMBOLL failed (Error NT_STATUS_UNSUCCESSFUL) I cleaned up the Kerberos tickets (kdestroy -A), and got a new one. Just to see that I got a new one. And I did. My current samba config is: [global] workgroup = RAMBOLL passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: winbind gid = 10000-20000 winbind uid = 10000-20000 winbind separator = / winbind nested groups = yes winbind enum groups = yes winbind enum users = yes winbind refresh tickets = yes realm = ZZZ.RAMBOLL-GROUP.GLOBAL.NETWORK security = ADS template homedir = /home/%D/%U template shell = /bin/bash mangled names = no usershare max shares = 100 usershare allow guests = No password server = ramstodcZZ.ramboll.ramboll-group.global.network server max protocol = smb3 log level = auth:10 client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes An older SAMBA on an older Linux server works in this AD. I don't know how to proceed. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org