cross-domain ticket issuing problem
jiri sasek - Sun Microsystems - Prague Czech Republic
Jiri.Sasek at Sun.COM
Wed Jan 16 18:33:41 GMT 2008
Hi samba experts
I am running the Solaris 10 with the default samba (samba-3.0.28; MIT
Kerberos; NS ldap 5.2 C-API) having the problem in the "2 or more
domains" environment having the following assumptions:
computer "a" have the realm "A" as default where
computer "b" have the realm "B" as default
where the cross-domain trust is issued betweed the Active Directory
domains representing the "A" and "B" realms.
There is a user "u" in realm "B"
Using the "ktpass" utility the key-table is generated for the computer
"a" and install on the computer "a" using the "ktutil" utility
TGT is issued for user "u" performing the: kinit u at B
the user "u" can request a service from the "a" computer so the
cross-realm ticket and the service ticket appears in the krb5 cache
When the samba is joined performing the 'net ads join' command on the
"a" computer the service-ticket is not issued for "u" requesting the
service from "a"
- What is 'join ads net' doing the service-ticket is not issued for
the service running on this computer?
Problem disappear after leaving the domain by 'net ads leave'.
Reversing this problem the samba winbind running on "a" can not retrieve
the user info from the domain "B" so the idmap can not map the users
from more than one domain for me. Is there anybody meeting the same problem?
Thank you in advance for suggestions helps me to fix this problem
More information about the samba-technical