Hello, I'm trying to authenticate all our linux machines to our ADS domain. As of now, I'm still in the process of setting up all the individual components before pushing the setup out. I've made quite a bit of progress, but I've hit a hitch when trying to add the machine's service principals (the 'host' primary specifically) to its keytab. I've searched, but I haven't seen this particular issue addressed. I get the same results when doing 'net ads join' and 'net ads keytab create/add/flush' (which makes sense because they all end up calling ads_keytab_add_entry anyway). Here's my output:
# net ads join SanJose/KW/Computers -d 3 [2004/10/25 12:56:30, 3] param/loadparm.c:lp_load(3920) lp_load: refreshing parameters [2004/10/25 12:56:30, 3] param/loadparm.c:init_globals(1324) Initialising global parameters [2004/10/25 12:56:30, 3] param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2004/10/25 12:56:30, 3] param/loadparm.c:do_section(3413) Processing section "[global]" [2004/10/25 12:56:30, 2] lib/interface.c:add_interface(79) added interface ip=10.50.195.251 bcast=10.50.199.255 nmask=255.255.248.0 [2004/10/25 12:56:30, 3] libads/ldap.c:ads_connect(247) Connected to LDAP server 10.50.192.51 [2004/10/25 12:56:30, 3] libads/ldap.c:ads_server_info(2318) got ldap server name [EMAIL PROTECTED], using bind path: dc=NA,dc=OURCOMPANY,dc=COM [2004/10/25 12:56:30, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2004/10/25 12:56:30, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2004/10/25 12:56:30, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2004/10/25 12:56:30, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2004/10/25 12:56:30, 3] libads/sasl.c:ads_sasl_spnego_bind(211) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2004/10/25 12:56:30, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(252) Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Mon, 25 Oct 2004 13:10:03 GMT [2004/10/25 12:56:30, 0] libads/ldap.c:ads_add_machine_acct(1283) ads_add_machine_acct: Host account for lnx251 already exists - modifying old account Using short domain name -- WINNTDOM [2004/10/25 12:56:41, 2] libads/kerberos_keytab.c:ads_keytab_add_entry(79) ads_keytab_add_entry: Using default system keytab: FILE:/etc/krb5.keytab [2004/10/25 12:56:41, 3] libads/kerberos_keytab.c:ads_keytab_add_entry(122) ads_keytab_add_entry: Will try to delete old keytab entries [2004/10/25 12:56:41, 3] libads/kerberos_keytab.c:ads_keytab_add_entry(231) ads_keytab_add_entry: adding keytab entry for (host/[EMAIL PROTECTED]) with encryption type (18) and version (3) [2004/10/25 12:56:41, 1] libads/kerberos_keytab.c:ads_keytab_add_entry(236) ads_keytab_add_entry: adding entry to keytab failed (Cannot write to specified key table) [2004/10/25 12:56:41, 1] libads/kerberos_keytab.c:ads_keytab_create_default(418) ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'. [2004/10/25 12:56:41, 1] utils/net_ads.c:net_ads_join(829) Error creating host keytab! Joined 'LNX251' to realm 'NA.OURCOMPANY.COM' [2004/10/25 12:56:41, 2] utils/net.c:main(792) return code = 0 I've tried manually creating a keytab with ktutil, and it still doesn't help. I checked the kerberos error codes, and it checks out, but I'm guessing that writability to the keytab isn't the real issue at hand. Any ideas? I'm using the following: samba-3.0.6 krb5-workstation-1.3.4 Regards, Al -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
