samba4 kinit failure, active directory and shares working

Sun Jan 30 11:51:25 MST 2011

Nice, kinit is successfully granting tickets and klist verifies they're 
active now.  Thanks =)

Now with an active ticket and restarting, Samba logs (were previously 
are still) showing: [Sun Jan 30 13:42:09 2011 EST, 0 
../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
/usr/local/samba/sbin/samba_dnsupdate: Check your Kerberos ticket, it 
may have expired.

Trying to connect to AD through Server Manager or AD Administrative 
Center are both showing that they're trying to connect but fail.  They 
resolve the domain/workgroup, however I notice Server Manager (in the 
beginning) popped up right away and connected to the logged in account's 
AD, now it pops up or I have to manually connect to a computer.  Admin 
Center shows "Canot find an available server in the MYDOMAIN domain that 
is running the Active Directory Web Service (ADWS).  It's possible 
Samba4 won't connect to Administrative Center, not a program I've messed 
around with but figured it wouldn't hurt to try a different pc with 
additional and alternate configs.

-- 
David Lindauer
Director of Operations
Otlay Interactive

On 1/30/2011 6:28 AM, Matthieu Patou wrote:
> On 30/01/2011 05:26, David Lindauer wrote:
>> /etc/krb5.conf
>>
>> [libdefaults]
>>         default_realm = MYDOMAIN
>>         krb4_config = /etc/krb.conf
>>         krb4_realms = /etc/krb.realms
>>         kdc_timesync = 1
>>         ccache_type = 4
>>         forwardable = true
>>         proxiable = true
>>
>> v4_instance_resolve = false
>>         v4_name_convert = {
>>                 host = {
>>                         rcmd = host
>>                         ftp = ftp
>>                 }
>>                 plain = {
>>                         something = something-else
>>                 }
>>         }
>>         fcc-mit-ticketflags = true
>>
>> [realms]
>>         MYDOMAIN = {
>>                 kdc = server.mydomain.com
>>          }
>> --other default realms--
>> [login]
>>         krb4_convert = true
>>         krb4_get_tickets = false
>>
>>
>>
>>
>> On 1/29/2011 7:13 PM, Matthieu Patou wrote:
>>> On 30/01/2011 02:46, David Lindauer wrote:
>>>> We have been running Samba 4.0.0alpha15-GIT-04987bd, and have been 
>>>> pretty pleased with the results so far.  Initially on setup,  I was 
>>>> able to use kinit and get a krb ticket, and was in Server Manager 
>>>> on a domain connected computer and was able to administrate users.  
>>>> Since then, we've physically moved the server to our development 
>>>> network, and changed it from a single NIC to dual (one for internal 
>>>> 10.x.x.x and one for public).
>>>>
>>>> Last night I stuck around to officially migrate our IP range and AD 
>>>> to the new Samba 4 box (not using anything from the old).  I have 
>>>> successfully connected our desktops to the AD, Samba sharing is 
>>>> working (beautifully), and I have OpenVPN setup and have it bridged 
>>>> so my VPN clients can connect locally to the shares.
>>>>
>>>> My active directory login and the administrator account are working 
>>>> when I connect to shares, so it is authenticating properly, BUT 
>>>> kinit user at domain (properly) is giving back "kinit: Password 
>>>> incorrect".  If i use the wrong domain I get appropriate errors.  
>>>> This is the same box running everything.   If i use an invalid 
>>>> user, I get the proper krb_get_init_creds: Client unknown, but it 
>>>> is not recognizing any passwords.
>>> Can you show you krb5.conf ? I have the impression that it's a 
>>> problem of encryption.
> Can you try to adapt the attached krb5.conf to your setup (update 
> REALM and IPs).
>
> Matthieu