On Wed, Jun 17, 2009 at 09:27:01PM +1000, Malcolm Gibbs wrote: > Hi, > > Thanks for your help on this one. > > With that ticket loaded in the cache, I rejoined the domain (which I > could always do successfully) but idmap show still fails with "No AD > Servers" > > That service is disabled in the SS7000 appliance kit.
Why (and what is the SS7000 app kit)? > Starting it clears that error on the kinit but has no effect on the > idmap failures. As expected. > fw02-2009Q2# svcs svc:/network/security/ktkt_warn > STATE STIME FMRI > disabled 9:25:32 svc:/network/security/ktkt_warn:default > > fw02-2009Q2# svcadm enable /network/security/ktkt_warn > > fw02-2009Q2# svcs svc:/network/security/ktkt_warn > STATE STIME FMRI > online 6:12:39 svc:/network/security/ktkt_warn:default > > fw02-2009Q2# idmap show -cv malcolm at fishworks.com > winname:malcolm at fishworks.com -> uid:60001 > Error: No AD servers > > That error has now gone on the kinit > fw02-2009Q2# kinit Administrator > Password for Administrator at FISHWORKS.COM: > > fw02-2009Q2# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator at FISHWORKS.COM > > Valid starting Expires Service principal > 06/17/09 06:13:12 06/17/09 16:13:16 krbtgt/FISHWORKS.COM at FISHWORKS.COM > renew until 06/24/09 06:13:12 > > fw02-2009Q2# idmap show -cv malcolm at fishworks.com > winname:malcolm at fishworks.com -> uid:60001 > Error: No AD servers > > fw02-2009Q2# smbadm join -u administrator fishworks.com > After joining fishworks.com the smb service will be restarted > automatically. > Would you like to continue? [no]: yes > Enter domain password: > Joining fishworks.com ... this may take a minute ... > Successfully joined fishworks.com > > fw02-2009Q2# idmap show -cv malcolm at fishworks.com > winname:malcolm at fishworks.com -> uid:60001 > Error: No AD servers > > fw02-2009Q2# smbadm list > [*] [FISHWORKS] > [*] [fishworks.com] > [+win2008-01.fishworks.com] [192.168.56.20] > [*] [FISHWORKS] [S-1-5-21-424206279-106027690-574836047] > [.] [FW02-2009Q2] [S-1-5-21-2328018714-2221239836-2816574501] > > > I still get heaps of these in the debug log > > Jun 17 06:15:47 fw02-2009Q2 idmap[987]: [ID 702911 auth.notice] GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Preauthentication failed) > Jun 17 06:15:47 fw02-2009Q2 idmap[987]: [ID 706612 daemon.info] LDAP > SASL bind to win2008-01.fishworks.com:389 failed (Local error) A snoop of traffic for both the idmap and the smbadm join would be good as would the AD access/error logs for both. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/
