[Samba] domain join & kinit woes
Timo Aaltonen
tjaalton at cc.hut.fi
Thu Jan 21 02:59:59 MST 2010
Hi
I've got problems getting things to work here.. The setup:
AD: W2008R1
client: Ubuntu 10.04 (lucid alpha2), with samba 3.4.3, MIT 1.7
I get an error when joining the domain, and when trying to kinit using the
machine principal with any other name than HOST$ (and that worked only
after forcing the crypto to des-cbc-crc):
nexus6 etc # net ads join -W ORG.AALTO.FI -U wa.aaltonen
Enter wa.aaltonen's password:
Using short domain name -- AALTO
Joined 'NEXUS6' to realm 'org.aalto.fi'
[2010/01/21 10:49:35, 0] libads/kerberos.c:332(ads_kinit_password)
kerberos_kinit_password NEXUS6$@ORG.AALTO.FI failed: Client not found in Kerberos database
nexus6 etc # klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/nexus6.org.aalto.fi at ORG.AALTO.FI
2 host/nexus6.org.aalto.fi at ORG.AALTO.FI
2 host/nexus6.org.aalto.fi at ORG.AALTO.FI
2 host/nexus6 at ORG.AALTO.FI
2 host/nexus6 at ORG.AALTO.FI
2 host/nexus6 at ORG.AALTO.FI
2 NEXUS6$@ORG.AALTO.FI
2 NEXUS6$@ORG.AALTO.FI
2 NEXUS6$@ORG.AALTO.FI
nexus6 etc # kinit -k NEXUS6$@ORG.AALTO.FI
kinit: Client not found in Kerberos database while getting initial credentials
nexus6 etc # kinit -k NEXUS6$
nexus6 etc # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: NEXUS6$@ORG.AALTO.FI
Valid starting Expires Service principal
01/21/10 11:00:13 01/21/10 21:00:13 krbtgt/ORG.AALTO.FI at ORG.AALTO.FI
renew until 01/22/10 11:00:13
I've been pulling my hair because of this... Would W2008 R2 help? We can't
upgrade yet though, since the backup software doesn't support it atm.
Here's the smb.conf and krb5.conf. Note that I'm trying to use sssd
instead of winbind, but it fails to do a sasl bind because of invalid
creds, so there has to be something wrong in the kerberos setup. Funny
that the same-ish krb5.conf works just fine on Solaris.
#### krb5.conf
[libdefaults]
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
default_realm = ORG.AALTO.FI
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
[realms]
ORG.AALTO.FI = {
kdc = dc01.org.aalto.fi
kdc = dc02.org.aalto.fi
kdc = dc03.org.aalto.fi
kdc = dc04.org.aalto.fi
kdc = dca01.org.aalto.fi
kdc = dca02.org.aalto.fi
kdc = dct01.org.aalto.fi
kdc = dct02.org.aalto.fi
kpasswd_server = dc01.org.aalto.fi
kpasswd_protocol = SET_CHANGE
admin_server = dc01.org.aalto.fi
}
[domain_realm]
.org.aalto.fi = ORG.AALTO.FI
[appdefaults]
kinit = {
renewable = true
forwardable = true
}
##### smb.conf
[global]
workgroup = AALTO
realm = ORG.AALTO.FI
security = ads
kerberos method = system keytab
winbind use default domain = yes
More information about the samba
mailing list