samba4 kinit failure, active directory and shares working

Sat Jan 29 19:26:33 MST 2011

/etc/krb5.conf

[libdefaults]
         default_realm = MYDOMAIN
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true

v4_instance_resolve = false
         v4_name_convert = {
                 host = {
                         rcmd = host
                         ftp = ftp
                 }
                 plain = {
                         something = something-else
                 }
         }
         fcc-mit-ticketflags = true

[realms]
         MYDOMAIN = {
                 kdc = server.mydomain.com
          }
--other default realms--
[login]
         krb4_convert = true
         krb4_get_tickets = false


On 1/29/2011 7:13 PM, Matthieu Patou wrote:
> On 30/01/2011 02:46, David Lindauer wrote:
>> We have been running Samba 4.0.0alpha15-GIT-04987bd, and have been 
>> pretty pleased with the results so far.  Initially on setup,  I was 
>> able to use kinit and get a krb ticket, and was in Server Manager on 
>> a domain connected computer and was able to administrate users.  
>> Since then, we've physically moved the server to our development 
>> network, and changed it from a single NIC to dual (one for internal 
>> 10.x.x.x and one for public).
>>
>> Last night I stuck around to officially migrate our IP range and AD 
>> to the new Samba 4 box (not using anything from the old).  I have 
>> successfully connected our desktops to the AD, Samba sharing is 
>> working (beautifully), and I have OpenVPN setup and have it bridged 
>> so my VPN clients can connect locally to the shares.
>>
>> My active directory login and the administrator account are working 
>> when I connect to shares, so it is authenticating properly, BUT kinit 
>> user at domain (properly) is giving back "kinit: Password incorrect".  
>> If i use the wrong domain I get appropriate errors.  This is the same 
>> box running everything.   If i use an invalid user, I get the proper 
>> krb_get_init_creds: Client unknown, but it is not recognizing any 
>> passwords.
> Can you show you krb5.conf ? I have the impression that it's a problem 
> of encryption.
>
>>
>> In addition, inside an office PC (Not VPN, but shouldn't matter), I 
>> have the Server Manager app for win7, and it cannot connect.  It 
>> properly resolves and shows the full host name even when I use the 
>> IP, I have updated Samba interfaces to include the public and private 
>> IP (temp to test).  It gives "Connecting to remote server failed with 
>> the following error message: The client cannot connect to the 
>> destination specified in the request..."
> What is "Server manager", can you make a tcpdump trace to see what's 
> going on when it replies "cannot connect to destination specified" ?
>>
>> If I can get this fixed, will be fully running and loving Samba4.  
>> Thanks for any insight.
>>
>> -David
>>
> Cheers Matthieu
>
>