[Samba] domain join & kinit woes

Timo Aaltonen tjaalton at cc.hut.fi
Thu Jan 21 02:59:59 MST 2010 

 	Hi

   I've got problems getting things to work here.. The setup:

AD: W2008R1
client: Ubuntu 10.04 (lucid alpha2), with samba 3.4.3, MIT 1.7

I get an error when joining the domain, and when trying to kinit using the 
machine principal with any other name than HOST$ (and that worked only 
after forcing the crypto to des-cbc-crc):

nexus6 etc # net ads join -W ORG.AALTO.FI -U wa.aaltonen
Enter wa.aaltonen's password:
Using short domain name -- AALTO
Joined 'NEXUS6' to realm 'org.aalto.fi'
[2010/01/21 10:49:35,  0] libads/kerberos.c:332(ads_kinit_password)
   kerberos_kinit_password NEXUS6$@ORG.AALTO.FI failed: Client not found in Kerberos database
nexus6 etc # klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
    2 host/nexus6.org.aalto.fi at ORG.AALTO.FI
    2 host/nexus6.org.aalto.fi at ORG.AALTO.FI
    2 host/nexus6.org.aalto.fi at ORG.AALTO.FI
    2 host/nexus6 at ORG.AALTO.FI
    2 host/nexus6 at ORG.AALTO.FI
    2 host/nexus6 at ORG.AALTO.FI
    2 NEXUS6$@ORG.AALTO.FI
    2 NEXUS6$@ORG.AALTO.FI
    2 NEXUS6$@ORG.AALTO.FI

nexus6 etc # kinit -k NEXUS6$@ORG.AALTO.FI
kinit: Client not found in Kerberos database while getting initial credentials
nexus6 etc # kinit -k NEXUS6$
nexus6 etc # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: NEXUS6$@ORG.AALTO.FI

Valid starting     Expires            Service principal
01/21/10 11:00:13  01/21/10 21:00:13  krbtgt/ORG.AALTO.FI at ORG.AALTO.FI
 	renew until 01/22/10 11:00:13


I've been pulling my hair because of this... Would W2008 R2 help? We can't 
upgrade yet though, since the backup software doesn't support it atm.

Here's the smb.conf and krb5.conf. Note that I'm trying to use sssd 
instead of winbind, but it fails to do a sasl bind because of invalid 
creds, so there has to be something wrong in the kerberos setup. Funny 
that the same-ish krb5.conf works just fine on Solaris.

#### krb5.conf
[libdefaults]
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
default_realm = ORG.AALTO.FI
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true

[realms]
ORG.AALTO.FI = {
   kdc = dc01.org.aalto.fi
   kdc = dc02.org.aalto.fi
   kdc = dc03.org.aalto.fi
   kdc = dc04.org.aalto.fi
   kdc = dca01.org.aalto.fi
   kdc = dca02.org.aalto.fi
   kdc = dct01.org.aalto.fi
   kdc = dct02.org.aalto.fi
   kpasswd_server = dc01.org.aalto.fi
   kpasswd_protocol = SET_CHANGE
   admin_server = dc01.org.aalto.fi
}

[domain_realm]
.org.aalto.fi = ORG.AALTO.FI

[appdefaults]
kinit = {
   renewable = true
   forwardable = true
}

##### smb.conf
[global]
   workgroup = AALTO
   realm = ORG.AALTO.FI
   security = ads
   kerberos method = system keytab
   winbind use default domain = yes

More information about the samba mailing list