[Samba] Samba 4 and GSSAPI kerberos ldap connect
Andrew Bartlett
abartlet at samba.org
Thu Jan 26 21:37:45 MST 2012
On Sun, 2012-01-22 at 15:32 +0100, steve wrote:
> even though I've made a ldap/hh3.site principal:
> hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
> --principal=ldap/hh3.site
>
> Why do I get the
> Decrypt integrity check failed
> error?
Why do you keep doing this?
What makes you think this is the right thing to do (so I can correct
whatever gave you this misconception).
Samba will not read /etc/ldap.keytab.
Samba uses the private keytab containing it's own machine account only.
Samba should not be contacted via the dns domain name, it should be
contacted by the fully qualified domain name.
The fact the dns domain name (hh3.site) resolves is an artefact of the
default AD DNS zone, but should not be used. If your client uses the
fully qualified name (dc.hh3.site), it will collect the correct ticket,
and Samba will decrypt it.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list