FW: [Samba] Followup Restricting to a subset of the domain controllers on a site

Wayne Rasmussen Wayne at gomonarch.com
Sun Jun 3 22:58:02 GMT 2007 


-----Original Message-----
From: Wayne Rasmussen 
Sent: Friday, June 01, 2007 11:01 AM
To: 'Gerald (Jerry) Carter'
Subject: RE: [Samba] Followup Restricting to a subset of the domain
controllers on a site

Noticed a couple of changes with Samba-3.0.25 and wondered if I am doing
something wrong or if it is a side-effect.
attached three files: smb.conf, samba-3.0.10.log, samba-3.0.25.log

Compiled the new samba-3.0.25 release to replace our previous
samba-3.0.10
on a Solaris 9 server.  The AD Domain Controller is a Windows 2000
system
and is on my test lab.  Testing it before putting it in the production
environment.

Our samba startup scripts basically run as follows:

/usr/local/bin/kinit  stevelongname at ADTEST.COM < /etc/DII.kinitkey
#where /etc/DII.kinitkey is the password for stevelongname at ADTEST.COM
#we can't get a keytab file in the real world situation.
/usr/local/samba/bin/net ads join
/usr/sfw/sbin/smbd -D
/usr/sfw/sbin/nmbd -D
/usr/local/samba/sbin/winbindd -B

We have been using the above proceedure for 3+ years.


Problems/Issues:


#1) With Samba-3.0.25, when /usr/local/samba/bin/net ads join runs we
are now getting a prompt for a password.  This can be seen in the file
samba-3.0.25.log as:
Password for stevelongname at ADTEST.COM:
Password:

If I type in the password for stevelongname at ADTEST.COM, we get the
following
error message: 
[2007/05/31 14:00:02, 0]
libsmb/cliconnect.c:cli_session_setup_spnego(853)
  Kinit failed: Client not found in Kerberos database
Failed to join domain: Improperly formed account name

If I just hit return it continues. This is what I did in the
samba-3.0.25.log.
Any ideas why this happens now?

#2)  klist shows a difference between samba-3.0.10 and samba-3.0.25.

Samba-3.0.10 has the following:
Valid starting     Expires            Service principal
05/30/07 19:20:14  05/31/07 05:20:14  krbtgt/ADTEST.COM at ADTEST.COM
   renew until 05/31/07 19:20:14
05/30/07 19:20:14  05/31/07 05:20:14  adtestserver01$@ADTEST.COM
   renew until 05/31/07 19:20:14
05/30/07 19:20:14  05/31/07 05:20:14  kadmin/changepw at ADTEST.COM
   renew until 05/31/07 19:20:14

Samba-3.0.25 has the following:
Valid starting     Expires            Service principal
05/31/07 13:38:31  05/31/07 23:38:31  krbtgt/ADTEST.COM at ADTEST.COM
   renew until 06/01/07 13:38:31
05/31/07 13:38:32  05/31/07 23:38:31  adtestserver01$@ADTEST.COM
   renew until 06/01/07 13:38:31

Does this matter?  is kadmin/changepw at ADTEST.COM required?


Thank you for your time and effort on this!
Wayne

More information about the samba mailing list