Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161557 - samba uses dns domain and not kerberos domain for kerberos.
Summary: samba uses dns domain and not kerberos domain for kerberos.
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 6
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: David Lawrence
Whiteboard: bzcl34nup
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-24 10:19 UTC by Mimmus
Modified: 2008-05-06 15:29 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-05-06 15:29:51 UTC

Attachments (Terms of Use)

Description Mimmus 2005-06-24 10:19:49 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
I configured Gnome authentication to "Kerberos" and I'm able to log-in correctly.
Then, I configured Samba with "security = ADS" and joined my domain.
Browsing network by network:/// works well.
Double-clicking on a PC icon, I get a user/domain/password request instead of PC shares list.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure Kerberos authentication in Gnome
2. Configure Samba to join ADS domain
3. Browse domain network and try to access shares list for some PCs

Actual Results:  I get a user/domain/password request

Expected Results:  Getting a shares list, without other authentications

Additional info:

Peraphs does Nautilus not support Kerberos authentication?

Comment 1 Klaasjan Brand 2006-01-17 11:14:23 UTC
I'm experiencing the same problem. An ethereal trace shows it's not using
kerberos in any way. Looks like a bug in gnome-vfs2-smb to me, since the code to
do kerberos auth is certainly there.

Comment 2 Klaasjan Brand 2006-11-02 14:27:37 UTC
Same problem on Fedora core 6.

Comment 3 Klaasjan Brand 2006-11-20 08:48:10 UTC
Found out a network misconfiguration (vfs2-smb uses the dns domain, if it
differs from the wins domain kerberos won't work). Fixing the DNS so the domains
are the same made it work.

Comment 4 Alexander Larsson 2006-11-20 15:38:28 UTC
I don't know much about kerberos, but is this something gnome-vfs should do

Comment 5 Klaasjan Brand 2006-11-20 15:45:24 UTC
I'm not sure it's gnome-vfs, but our windows clients "just worked" with the
difference in dns and wins domain. It seems somewhere the default kerberos
domain is taken from the default dns domain (as configured in /etc/resolv.conf)
while it should be using the kerberos domain.

Comment 6 Alexander Larsson 2006-11-20 16:50:55 UTC
Do you have something like:

[domain_realm] = EXAMPLE.COM

for your domain in /etc/krb5.conf

Comment 7 Klaasjan Brand 2006-11-27 12:42:13 UTC
Yes, I've got two entries. The default and our company network domain as entered
in the authentication configuration tool.

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

 topicus.local = TOPICUS.LOCAL
 .topicus.local = TOPICUS.LOCAL

Comment 8 Alexander Larsson 2006-11-28 10:23:22 UTC
I really don't know kerberos well enough to know the problem, or if there is a
problem (apart from setup)

Comment 9 Klaasjan Brand 2006-11-28 13:15:49 UTC
I guess this problem is unrelated to this original report, but it's really very
A system can have a DNS domain and a Kerberos domain. Normally (in a windows AD
configuration) these two are the same. 
When plugging in my laptop on another location I get a different DNS domain, but
stay on the same Kerberos domain. Browsing a share on a server in the Kerberos
domain fails; a packet trace shows the DNS domain is used to authenticate to the
Kerberos server. I support this is done by gnome-vfs and/or samba (or whatever
package makes browsing network shares over kerberos possible).
It can be fixed by making it use the kerberos domain instead of the DNS domain.

Comment 10 Alexander Larsson 2006-11-28 14:28:14 UTC
gnome-vfs just turns on SMB_CTX_FLAG_USE_KERBEROS, so this seems to be a samba

Comment 11 Christian Iseli 2007-01-20 00:06:29 UTC
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?


Comment 12 Klaasjan Brand 2007-01-21 10:37:37 UTC
I'm not authorized to change the product version, but my comments from november
last year were based on testing with FC6.

Comment 13 Guenther Deschner 2007-05-24 13:17:24 UTC
Ok, we need far more details on this.

Can you please provide a network trace containing the traffic from your nautilus
client up to the user/pwd prompt ?

Also, Klaasjan, you have an AD forest infrastructure, it seems. Can you give us
the output of "net ads lookup -S yourkdcname-as-in-etc-krb5.conf". That would
help us to determine your correct dns domain name and forest dns name for
further debuging.

Also, the SMB_CTX_FLAG_USE_KERBEROS flag was not honored in all use-cases of
libsmbclient until very recently
( Browsing a
server for the list of available shares should not be affected by this, though.

Comment 14 Bug Zapper 2008-04-04 01:58:06 UTC
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:

We will be following the process here: to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out

Comment 15 Bug Zapper 2008-05-06 15:29:50 UTC
This bug is open for a Fedora version that is no longer maintained and
will not be fixed by Fedora. Therefore we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen thus bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.