On Mon, 2013-02-18 at 16:52 -0300, Friedrich Locke wrote: > Dear list members, > > i am trying to get ldap + samba + kerberos working and have tried to > make the proper configuration. > Integrating samba + ldap was pretty easy, but getting kerberos to work > seems a nightmare. > > Here it is what i tried (copy and pasted from my link client): > > harley@802-1x:/etc/samba$ kdestroy > harley@802-1x:/etc/samba$ kinit > har...@ufv.br's Password: > harley@802-1x:/etc/samba$ klist > Credentials cache: FILE:/tmp/krb5cc_1000 > Principal: har...@ufv.br > > Issued Expires Principal > Feb 18 15:53:33 2013 Feb 18 19:53:33 2013 krbtgt/ufv...@ufv.br > harley@802-1x:/etc/samba$ smbclient //802-1x.cpd.ufv.br/printers -k > session setup failed: NT_STATUS_LOGON_FAILURE > harley@802-1x:/etc/samba$ klist > Credentials cache: FILE:/tmp/krb5cc_1000 > Principal: har...@ufv.br > > Issued Expires Principal > Feb 18 15:53:33 2013 Feb 18 19:53:33 2013 krbtgt/ufv...@ufv.br > Feb 18 15:53:44 2013 Feb 18 19:53:33 2013 cifs/802-1x.cpd.ufv...@ufv.br > harley@802-1x:/etc/samba$ > > > > We can realize that smbclient is fetching the ticket to cifs service. > But why NT_STATUS_LOGON_FAILURE ? > Nothing appears on smbd logs.
How is samba connected to the krb5 realm? What configuration options have you set to make it use a keytab? That all said, this kind of frustration is why I worked so hard on Samba 4.0 as an AD DC, because it provides the server-side integration of LDAP, Kerberos and the Domain protocols that allow Samba and windows member servers to join it, and for it to 'just work'. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba