On Thu, Jan 5, 2023 at 12:29 PM tizo <[email protected]> wrote: > > On Thu, Jan 5, 2023 at 9:48 AM tizo <[email protected]> wrote: > > > > > Hi, > > > > > > it looks like if the client is talking to 10.2.100.11 it is > > > working as expected but with 10.12.100.1 it fails. Are there any details > > > in the logs of those servers? > > > > > > bye, > > > Sumit > > > > > > > I couldn't find anything related on those server logs. They are the > > Samba servers. > > > > Maybe it is a firewall problem, as both servers are in different > > networks, and both clients are in different networks too. As for that, > > I am sending two network captures from the client with the problem. > > captura_login_ok is the one when login is working, and > > captura_login_bad is the one when login is not working. I tried to > > analyze them, and I found a significant difference in frame number 58. > > In captura_login_ok all seems normal (the source is 10.2.100.11) and > > in captura_login_bad it says "KRB Error: KRB5KRB_AP_ERR_BAD_INTEGRITY" > > (the source is 10.12.100.1). Does it mean something to you? > > > > Thanks very much. > > UPDATE: I think now that the problem is not the network location. I > have made some more tests, and it seems to me now that the clients > with Ubuntu 20.04 and freeipa-client 4.8.6-1ubuntu2 are always > working, and the clients with Ubuntu 22.04 and freeipa-client 4.9.8-1 > present the problem.
UPDATE 2: if I force the AD Kerberos servers to be one of the two Samba servers in krb5.conf for the corresponding domain (with parameters kdc, master_kdc, admin_server and kpasswd_server), it always works, even if the configured server is 10.12.100.1. I am not a Kerberos expert but given that, my best guess right now is that one component of Ubuntu 22.04 is trying to use one of the AD server for part of the Kerberos communication, and the other AD server for the other part of Kerberos communication when using DNS autodiscovery, and that is not working well in Samba servers. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
