samba4 kinit failure, active directory and shares working

Matthieu Patou mat at matws.net
Sun Jan 30 04:28:28 MST 2011 

On 30/01/2011 05:26, David Lindauer wrote:
> /etc/krb5.conf
>
> [libdefaults]
>         default_realm = MYDOMAIN
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>
> v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
>         fcc-mit-ticketflags = true
>
> [realms]
>         MYDOMAIN = {
>                 kdc = server.mydomain.com
>          }
> --other default realms--
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
>
>
>
>
> On 1/29/2011 7:13 PM, Matthieu Patou wrote:
>> On 30/01/2011 02:46, David Lindauer wrote:
>>> We have been running Samba 4.0.0alpha15-GIT-04987bd, and have been 
>>> pretty pleased with the results so far.  Initially on setup,  I was 
>>> able to use kinit and get a krb ticket, and was in Server Manager on 
>>> a domain connected computer and was able to administrate users.  
>>> Since then, we've physically moved the server to our development 
>>> network, and changed it from a single NIC to dual (one for internal 
>>> 10.x.x.x and one for public).
>>>
>>> Last night I stuck around to officially migrate our IP range and AD 
>>> to the new Samba 4 box (not using anything from the old).  I have 
>>> successfully connected our desktops to the AD, Samba sharing is 
>>> working (beautifully), and I have OpenVPN setup and have it bridged 
>>> so my VPN clients can connect locally to the shares.
>>>
>>> My active directory login and the administrator account are working 
>>> when I connect to shares, so it is authenticating properly, BUT 
>>> kinit user at domain (properly) is giving back "kinit: Password 
>>> incorrect".  If i use the wrong domain I get appropriate errors.  
>>> This is the same box running everything.   If i use an invalid user, 
>>> I get the proper krb_get_init_creds: Client unknown, but it is not 
>>> recognizing any passwords.
>> Can you show you krb5.conf ? I have the impression that it's a 
>> problem of encryption.
Can you try to adapt the attached krb5.conf to your setup (update REALM 
and IPs).

Matthieu
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: krb5.conf
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110130/0e09c00e/attachment.ksh>

More information about the samba-technical mailing list