[Samba 4] Access to GPO failed

Andrew Bartlett abartlet at samba.org
Mon Dec 15 03:47:55 GMT 2008 

On Fri, 2008-12-12 at 14:39 +1100, Andrew Bartlett wrote:
> On Fri, 2008-12-12 at 09:53 +0700, Son Nguyen wrote:
> > Son Nguyen wrote:
> > > Volker Lendecke wrote:
> > >> On Wed, Dec 10, 2008 at 10:11:31AM -0500, Wes Deviers wrote:
> > >>  
> > >>> I haven't said anything or really tracked down much on the behavior; 
> > >>> I've assumed lots of people are using recent SVN pulls with 
> > >>> everything working     
> > >>
> > >> You really mean SVN? We switched to git months ago. See
> > >> http://us6.samba.org/samba/devel/ and
> > >> http://wiki.samba.org/index.php/Samba4/HOWTO for info how to
> > >> get the latest code.
> > >>
> > >> Volker
> > >>   
> > >    I've duplicated this error today with the new version from GIT.
> > > #define SAMBA_VERSION_GIT_COMMIT_DATE "Wed Dec 10 17:03:53 2008 -0800"
> > > #define SAMBA_VERSION_OFFICIAL_STRING "4.0.0alpha6-GIT-d7d525b"
> > >
> > > Are there some body have experience in working with Samba4 GPOs? 
> > > Please give me your ideas about this error.
> > > I also favorite in deploy samba4 with ldap backend (OpenLDAP, or 
> > > CentDS). I try to follow document from Samba Wiki but there are some 
> > > error when I provision Samba4. Please let me know if you have other 
> > > document.
> > >
> > > Thank a lot,
> > > Son Nguyen
> > >
> > Hi all,
> >     After reading samba log file and network capture file, I think that 
> > this error is related with KRB5.
> > 
> >     * Log file: Kerberos: Failed building TGS-REP to 192.168.9.131
> >     * Capture file: KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOW (packet
> >       number 46)
> 
> I think this is a very reasonable conclusion.  The cases where this has
> worked are probably those where the CIFS connection is already up, so
> re-authentication is not required.
> 
> The challenge is:  Which host should this principal (cifs/my.realm)
> point to?  Or do all the hosts share a 'realm password' (perhaps the
> krbtgt password?) to decrypt such a ticket?

As a test, could you please edit the servicePrincipalNames attribute of
your DC entry in LDB (or simply setup/provision_self_join) to include

 host/my.realm

This should allow the client to connect and apply policies, while I
figure out the proper way to handle this.

> I'll ask for clarification from Microsoft (unless someone here already
> knows)

I've got an issue open with Microsoft for exactly this question.  Follow
the fun on the cifs-protocol list if you like :-)

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20081215/d0a5702a/attachment.bin

More information about the samba-technical mailing list