[Samba 4] Access to GPO failed

Andrew Bartlett abartlet at samba.org
Fri Dec 12 03:39:21 GMT 2008 

On Fri, 2008-12-12 at 09:53 +0700, Son Nguyen wrote:
> Son Nguyen wrote:
> > Volker Lendecke wrote:
> >> On Wed, Dec 10, 2008 at 10:11:31AM -0500, Wes Deviers wrote:
> >>  
> >>> I haven't said anything or really tracked down much on the behavior; 
> >>> I've assumed lots of people are using recent SVN pulls with 
> >>> everything working     
> >>
> >> You really mean SVN? We switched to git months ago. See
> >> http://us6.samba.org/samba/devel/ and
> >> http://wiki.samba.org/index.php/Samba4/HOWTO for info how to
> >> get the latest code.
> >>
> >> Volker
> >>   
> >    I've duplicated this error today with the new version from GIT.
> > #define SAMBA_VERSION_GIT_COMMIT_DATE "Wed Dec 10 17:03:53 2008 -0800"
> > #define SAMBA_VERSION_OFFICIAL_STRING "4.0.0alpha6-GIT-d7d525b"
> >
> > Are there some body have experience in working with Samba4 GPOs? 
> > Please give me your ideas about this error.
> > I also favorite in deploy samba4 with ldap backend (OpenLDAP, or 
> > CentDS). I try to follow document from Samba Wiki but there are some 
> > error when I provision Samba4. Please let me know if you have other 
> > document.
> >
> > Thank a lot,
> > Son Nguyen
> >
> Hi all,
>     After reading samba log file and network capture file, I think that 
> this error is related with KRB5.
> 
>     * Log file: Kerberos: Failed building TGS-REP to 192.168.9.131
>     * Capture file: KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOW (packet
>       number 46)

I think this is a very reasonable conclusion.  The cases where this has
worked are probably those where the CIFS connection is already up, so
re-authentication is not required.

The challenge is:  Which host should this principal (cifs/my.realm)
point to?  Or do all the hosts share a 'realm password' (perhaps the
krbtgt password?) to decrypt such a ticket?

I'll ask for clarification from Microsoft (unless someone here already
knows)

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20081212/da71607d/attachment.bin

More information about the samba-technical mailing list