We created a krb5.conf but then did not use it?
Richard Sharpe
realrichardsharpe at gmail.com
Fri Aug 9 10:57:30 MDT 2013
On Fri, Aug 9, 2013 at 9:45 AM, Mauricio Tavares <raubvogel at gmail.com> wrote:
> On Fri, Aug 9, 2013 at 12:13 PM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> Hi folks,
>>
>> We have hit an interesting situation with Samba 3.6.x where net ads
>> join -k is failing.
>>
>> We managed to create a krb5.conf.DOM with the locations of the KDCs in
>> that realm.
>>
>> However, when kerberos_kinit_password was called, it seemed to send a
>> DNS request for _kerberos._UDP.<realm> anyway, and got back 230 KDC
>>
>> The code then started going through them randomly, it seems (and they
>> were not sorted by locality either) and because they seem to block
>> off-site auth traffic, we could not authenticate..
>>
>> The version of Kerberos being used is Heimdal 1.0 by the look of things.
>>
>> Has anyone seen this>
>>
> Anything interesting in the log file?
Nope ... the log from 'net ads join -k -d -U ...' ends with this:
kerberos_kinit_password: as joinacct using [MEMORY:cliconnect] as
ccache and config [(null)]
It timed out after that.
It is strange that config is null however.
Hmmm: This is what the code does:
DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache
and config [%s]\n",
principal,
cache_name ? cache_name: krb5_cc_default_name(ctx),
getenv("KRB5_CONFIG")));
Looks like the attempt to set the environment variable failed.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list