Ubuntu
samba4 package

samba4 testing with smbclient fails

Bug #976137 reported by Leo Richard Comerford
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba4 (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

I am attempting to install Samba 4 for use as a primary domain controller using version 4.0.0~alpha18.dfsg1-4 of samba4 on a new install of Ubuntu Server 12.04 beta 2 for x86-64. Problems show up when using smbclient to test the samba4 installation, as suggested in the official Samba 4 HOWTO http://wiki.samba.org/index.php/Samba4/HOWTO . The output from

smbclient //localhost/netlogon -Uadministrator

includes the lines

GSSAPI to 'localhost' does not make sense
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER

and the password prompt fails to accept the password - the session ends with

Connection to \\localhost\netlogon failed - NT_STATUS_LOGON_FAILURE

after the third try. However

smbclient //localhost/netlogon -d 5 -Uadministrator%[the password]

*does* get to the smb: \> prompt, though the same two error messages show up in the debug output. Replacing localhost with irishtown.localonly.rvcomerford.ie (after DNS has been set up) changes the error messages to

Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.37.55.20
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.37.55.20
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.37.55.20
Failed to get kerberos credentials: kinit for <email address hidden> failed (Cannot contact any KDC for requested realm)

Cannot reach a KDC we require to contact <email address hidden> : kinit for <email address hidden> failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS

My general network configuration seems to be working. DNS is set up, and the test host commands specified in the HOWTO all seem to work. There doesn't appear to be any firewalling going on. smbclient doesn't seem to be generating any messages on /var/log/syslog .

Revision history for this message
Jelmer Vernooij (jelmer) wrote :

Thanks for reporting your test results on Samba 4. I'm not sure what you're actually reporting as a bug here though?

Note that the HOWTO suggests "smbclient //localhost/netlogon -d 5 -Uadministrator%[the password]" and you report that actually works for you.

The lines:

GSSAPI to 'localhost' does not make sense
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER

are showing up because it first tries to use GSSAPI (Kerberos), which doesn't work for localhost.

Changed in samba4 (Ubuntu):
status: New → Incomplete
Revision history for this message
Leo Richard Comerford (lrc1) wrote :

Oh, if it's not a samba bug, then great! I should probably explain how I got here, though, since I think I may not be the only person.

1) The password-nanny in provision (or whatever it's calling) is very hard to satisfy, so instead of using a simple password for testing I ended up omitting --adminpass and letting provision generate the password.

2) But there seemed to be some kind of BASH escape character in many of the auto-generated passwords, because pasting the password onto the end of

smbclient //localhost/netlogon -d 5 -Uadministrator%

in my PuTTY window would cause the smbclient logon to fail and bash to spit back about half the password with 'command not found'. Rather than digging into what bash was doing, an (apparently) easy workaround was just to omit the % and give the password interactively.

3) When I saw

smbclient //localhost/netlogon -d 5 -Uadministrator

fail despite getting the correct password, it was natural to assume that something was wrong with the samba setup - it's ... not intuitive for smbclient to behave differently depending on whether it was given the identical password interactively or on the command line. And while the HOWTO tells you to give the password on the command line, it doesn't say that giving it interactively won't work.

4) Eventually I cobbled together a password which provision would accept, and which I could pass to smbclient either interactively or in the command line. But by this time I 'knew' there was something wrong with samba's install/provision, so I was running smbclient with -d to try and find out why it was sometimes failing.

Revision history for this message
Leo Richard Comerford (lrc1) wrote :

("When I saw smbclient //localhost/netlogon -d 5 -Uadministrator fail despite getting the correct password" should be "When I saw smbclient //localhost/netlogon -Uadministrator fail despite getting the correct password" - I didn't start using -d until after I started getting login failures.)

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for samba4 (Ubuntu) because there has been no activity for 60 days.]

Changed in samba4 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.