cross-domain ticket issuing problem

jiri sasek - Sun Microsystems - Prague Czech Republic Jiri.Sasek at Sun.COM
Wed Jan 16 18:33:41 GMT 2008

Hi samba experts

I am running the Solaris 10 with the default samba (samba-3.0.28; MIT 
Kerberos; NS ldap 5.2 C-API) having the problem in the "2 or more 
domains" environment having the following assumptions:

1 -
computer "a" have the realm "A" as default where
computer "b" have the realm "B" as default
where the cross-domain trust is issued betweed the Active Directory 
domains representing the "A" and "B" realms.

2 -
There is a user "u" in realm "B"

3 -
Using the "ktpass" utility the key-table is generated for the computer 
"a" and install on the computer "a" using the "ktutil" utility

4 -
TGT is issued for user "u" performing the: kinit u at B

the user "u" can request a service from the "a" computer so the 
cross-realm ticket and the service ticket appears in the krb5 cache

When the samba is joined performing the 'net ads join' command on the 
"a" computer the service-ticket is not issued for "u" requesting the 
service from "a"

  - What is 'join ads net' doing the service-ticket is not issued for 
the service running on this computer?

Problem disappear after leaving the domain by 'net ads leave'.

Reversing this problem the samba winbind running on "a" can not retrieve 
the user info from the domain "B" so the idmap can not map the users 
from more than one domain for me. Is there anybody meeting the same problem?

Thank you in advance for suggestions helps me to fix this problem



More information about the samba-technical mailing list