We created a krb5.conf but then did not use it?
Matthieu Patou
mat at samba.org
Tue Aug 13 00:52:03 MDT 2013
On 08/09/2013 09:13 AM, Richard Sharpe wrote:
> Hi folks,
>
> We have hit an interesting situation with Samba 3.6.x where net ads
> join -k is failing.
>
> We managed to create a krb5.conf.DOM with the locations of the KDCs in
> that realm.
did you set KRB5_CONFIG to point to this particular file, also have you
set ...dns_lookup_kdc to no ?
>
> However, when kerberos_kinit_password was called, it seemed to send a
> DNS request for _kerberos._UDP.<realm> anyway, and got back 230 KDC
>
> The code then started going through them randomly, it seems (and they
> were not sorted by locality either) and because they seem to block
> off-site auth traffic, we could not authenticate..
Which is quite stupid, because it they have a user that is usually on
site B it will first try to contact a DC from site B and if he is
currently in site A then the DC will politely indicate to the computer
to contact a DC from site A instead.
>
> The version of Kerberos being used is Heimdal 1.0 by the look of things.
>
> Has anyone seen this>
>
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba-technical
mailing list