Hi
I've got problems getting things to work here.. The setup:
AD: W2008R1
client: Ubuntu 10.04 (lucid alpha2), with samba 3.4.3, MIT 1.7
I get an error when joining the domain, and when trying to kinit using the
machine principal with any other name than HOST$ (and that worked only
after forcing the crypto to des-cbc-crc):
nexus6 etc # net ads join -W ORG.AALTO.FI -U wa.aaltonen
Enter wa.aaltonen's password:
Using short domain name -- AALTO
Joined 'NEXUS6' to realm 'org.aalto.fi'
[2010/01/21 10:49:35, 0] libads/kerberos.c:332(ads_kinit_password)
kerberos_kinit_password [email protected] failed: Client not found in
Kerberos database
nexus6 etc # klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 [email protected]
2 [email protected]
2 [email protected]
nexus6 etc # kinit -k [email protected]
kinit: Client not found in Kerberos database while getting initial credentials
nexus6 etc # kinit -k NEXUS6$
nexus6 etc # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
01/21/10 11:00:13 01/21/10 21:00:13 krbtgt/[email protected]
renew until 01/22/10 11:00:13
I've been pulling my hair because of this... Would W2008 R2 help? We can't
upgrade yet though, since the backup software doesn't support it atm.
Here's the smb.conf and krb5.conf. Note that I'm trying to use sssd
instead of winbind, but it fails to do a sasl bind because of invalid
creds, so there has to be something wrong in the kerberos setup. Funny
that the same-ish krb5.conf works just fine on Solaris.
#### krb5.conf
[libdefaults]
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
default_realm = ORG.AALTO.FI
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
[realms]
ORG.AALTO.FI = {
kdc = dc01.org.aalto.fi
kdc = dc02.org.aalto.fi
kdc = dc03.org.aalto.fi
kdc = dc04.org.aalto.fi
kdc = dca01.org.aalto.fi
kdc = dca02.org.aalto.fi
kdc = dct01.org.aalto.fi
kdc = dct02.org.aalto.fi
kpasswd_server = dc01.org.aalto.fi
kpasswd_protocol = SET_CHANGE
admin_server = dc01.org.aalto.fi
}
[domain_realm]
.org.aalto.fi = ORG.AALTO.FI
[appdefaults]
kinit = {
renewable = true
forwardable = true
}
##### smb.conf
[global]
workgroup = AALTO
realm = ORG.AALTO.FI
security = ads
kerberos method = system keytab
winbind use default domain = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
