Red Hat Bugzilla – Bug 161557
samba uses dns domain and not kerberos domain for kerberos.
Last modified: 2008-05-06 11:29:51 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4
Description of problem:
I configured Gnome authentication to "Kerberos" and I'm able to log-in correctly.
Then, I configured Samba with "security = ADS" and joined my domain.
Browsing network by network:/// works well.
Double-clicking on a PC icon, I get a user/domain/password request instead of PC shares list.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure Kerberos authentication in Gnome
2. Configure Samba to join ADS domain
3. Browse domain network and try to access shares list for some PCs
Actual Results: I get a user/domain/password request
Expected Results: Getting a shares list, without other authentications
Peraphs does Nautilus not support Kerberos authentication?
I'm experiencing the same problem. An ethereal trace shows it's not using
kerberos in any way. Looks like a bug in gnome-vfs2-smb to me, since the code to
do kerberos auth is certainly there.
Same problem on Fedora core 6.
Found out a network misconfiguration (vfs2-smb uses the dns domain, if it
differs from the wins domain kerberos won't work). Fixing the DNS so the domains
are the same made it work.
I don't know much about kerberos, but is this something gnome-vfs should do
I'm not sure it's gnome-vfs, but our windows clients "just worked" with the
difference in dns and wins domain. It seems somewhere the default kerberos
domain is taken from the default dns domain (as configured in /etc/resolv.conf)
while it should be using the kerberos domain.
Do you have something like:
.example.com = EXAMPLE.COM
for your domain in /etc/krb5.conf
Yes, I've got two entries. The default and our company network domain as entered
in the authentication configuration tool.
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
topicus.local = TOPICUS.LOCAL
.topicus.local = TOPICUS.LOCAL
I really don't know kerberos well enough to know the problem, or if there is a
problem (apart from setup)
I guess this problem is unrelated to this original report, but it's really very
A system can have a DNS domain and a Kerberos domain. Normally (in a windows AD
configuration) these two are the same.
When plugging in my laptop on another location I get a different DNS domain, but
stay on the same Kerberos domain. Browsing a share on a server in the Kerberos
domain fails; a packet trace shows the DNS domain is used to authenticate to the
Kerberos server. I support this is done by gnome-vfs and/or samba (or whatever
package makes browsing network shares over kerberos possible).
It can be fixed by making it use the kerberos domain instead of the DNS domain.
gnome-vfs just turns on SMB_CTX_FLAG_USE_KERBEROS, so this seems to be a samba
This report targets the FC3 or FC4 products, which have now been EOL'd.
Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?
I'm not authorized to change the product version, but my comments from november
last year were based on testing with FC6.
Ok, we need far more details on this.
Can you please provide a network trace containing the traffic from your nautilus
client up to the user/pwd prompt ?
Also, Klaasjan, you have an AD forest infrastructure, it seems. Can you give us
the output of "net ads lookup -S yourkdcname-as-in-etc-krb5.conf". That would
help us to determine your correct dns domain name and forest dns name for
Also, the SMB_CTX_FLAG_USE_KERBEROS flag was not honored in all use-cases of
libsmbclient until very recently
(http://websvn.samba.org/cgi-bin/viewcvs.cgi?rev=21132&view=rev). Browsing a
server for the list of available shares should not be affected by this, though.
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.
If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
Thanks for your help, and we apologize again that we haven't handled
these issues to this point.
The process we are following is outlined here:
We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
This bug is open for a Fedora version that is no longer maintained and
will not be fixed by Fedora. Therefore we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen thus bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.