Thanks Jerry, that 's very useful information. The particular problem I am facing is that when samba tries to connect to another domain, kerberos can 't find the principal, as in this example:
libads/sasl.c:ads_sasl_spnego_bind(211) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] libsmb/clikrb5.c:ads_krb5_mk_req(389) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Server not found in Kerberos database) nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain SIDERAR failed: Server not found in Kerberos database What I understand is that the principal sarswdc3$ doesn 't exist. If I try to kinit [EMAIL PROTECTED] it consecuentelly fails. The thing I don 't understand is why if I kinit [EMAIL PROTECTED] (note the abscense of the dollar sign) it finds it (I mean, it prompts for a password). Any ideas I can try or anything further I can watch? Best regards, Martin -- Martin arpon Original Message: ----------------- From: Gerald (Jerry) Carter [EMAIL PROTECTED] Date: Wed, 06 Jul 2005 08:07:38 -0500 To: [EMAIL PROTECTED], [email protected] Subject: Re: [Samba] Questions regarding ADS [EMAIL PROTECTED] wrote: | I 've spent the last week troubleshooting a configuration issue regarding | samba not being able to connect to other domains beside the domain of which | it 's a member server (samba 3.0.14a, krb 1.3.6, w2k). | | I have some doubts perhaps someone can answer... | | Suppose this scenario: | | Samba name : SAMBA | Main domain: DOMAINA (domain controller = DCA) | Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC) | | | 1) When samba tries to connect via kerberos to others | domains, which principal is supposed to use? I 'd think | it is [EMAIL PROTECTED] What I see is that it first connects | via LDAP using this machine account but then tries to connect | via kerberos with [EMAIL PROTECTED] or [EMAIL PROTECTED] Is this | correct or I am not understanding the logfiles correctly? It should be obtaining a service for [EMAIL PROTECTED] That's probably what you are seeing. | 2) Is wbinfo --set-auth-user still needed? I 'm not using | it because I read somewhere that with 3.0+ is not needed | anymore. Generally it is not needed. Certainly not when all the domains are AD and the Samba host is configured with 'security = ads'. | 3) My krb5.conf doesn 't contain any references to | servers. All it contains is dns_lookup_realm=true, | dns_lookup_kdc=true and default_realm=XXXXX. Do I | need anything specific or current krb5 can obtain everything | it needs from the DNS? DNS is fine. That's how I run. Make sure that the appropriate SRV records are in DNS though. | 4) Do I need to do the ktpass thing at the windows DC? Nope. It is all handled by the AD trusts. Hope this helps. cheers, jerry -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
