The problem is sort of solved...
First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again.
Now the problem with the double realm name seems to be fixed. I still get the same errors joining (just with the correct realm name). Seen
from the AD side the join succeeds, and I can authenticate against AD as
expected. I'm not sure what this is, but I'll get someone on the AD side
to help me clean out the credentials for IFTSMB100 completely. Does
anyone here know what it takes to get completely rid of all traces of a
host in the kerberos part of AD so I can really retry from scratch?
To get to a working setup I had to add a domain-to-realm mapping in
krb5.conf so my domain maps to a realm name (map ift.uib.no to KLIENT.UIB.NO) and match the default realm in krb5.conf to the realm in
smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this
setup. Users live in other domains.
My new config files are at http://www.ift.uib.no/~birger/krb5.conf and
http://www.ift.uib.no/~birger/smb.conf
I also upgraded kerberos and samba to the versions in the yum develop repo for fc3. samba*-3.0.9-2 and krb5*-1.3.5-2
Now, even with the preauthentication failures when joining I have a working server that authenticates as expected. :-)
-- birger
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
