On 01/27/2012 05:37 AM, Andrew Bartlett wrote:
On Sun, 2012-01-22 at 15:32 +0100, steve wrote:
even though I've made a ldap/hh3.site principal:
hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
--principal=ldap/hh3.site
Why do I get the
Decrypt integrity check failed
error?
Why do you keep doing this?
What makes you think this is the right thing to do (so I can correct
whatever gave you this misconception).
Samba will not read /etc/ldap.keytab.
Samba uses the private keytab containing it's own machine account only.
Samba should not be contacted via the dns domain name, it should be
contacted by the fully qualified domain name.
The fact the dns domain name (hh3.site) resolves is an artefact of the
default AD DNS zone, but should not be used. If your client uses the
fully qualified name (dc.hh3.site), it will collect the correct ticket,
and Samba will decrypt it.
Thanks,
Andrew Bartlett
Hi
Thanks for pointing this out. It turned out that when I provisioned, I
had the fqdn wrong. Duh! I set that correctly in /etc/hosts,
reprovisioned and everything sprang to life. ldapsearch -Y GSSAPI worked
and I could extract stuff I'd put into the s4 LDAP database so our Linux
users could connect.
I have still not been able to get winbind nor the fileserver working, so
I've added nfs4 for the Linux clients and there I did need to add a
principal for the kerberized nfs, otherwise the nfs server would not
start. It's a bit of a hack but it's good enough for us at the moment. I
got around the user id mappings as described here:
http://linuxcostablanca.blogspot.com/p/samba-4.html
Thanks for your time,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
