We created a krb5.conf but then did not use it?
Richard Sharpe
realrichardsharpe at gmail.com
Tue Aug 13 10:26:32 MDT 2013
On Mon, Aug 12, 2013 at 11:52 PM, Matthieu Patou <mat at samba.org> wrote:
> On 08/09/2013 09:13 AM, Richard Sharpe wrote:
>> Hi folks,
>>
>> We have hit an interesting situation with Samba 3.6.x where net ads
>> join -k is failing.
>>
>> We managed to create a krb5.conf.DOM with the locations of the KDCs in
>> that realm.
> did you set KRB5_CONFIG to point to this particular file, also have you
> set ...dns_lookup_kdc to no ?
No. We actually run without a krb5.conf file at all, and the defaults
are to use DNS to lookup the KDC. That is working because we see the
lookups for the SRV records.
>>
>> However, when kerberos_kinit_password was called, it seemed to send a
>> DNS request for _kerberos._UDP.<realm> anyway, and got back 230 KDC
>>
>
>
>> The code then started going through them randomly, it seems (and they
>> were not sorted by locality either) and because they seem to block
>> off-site auth traffic, we could not authenticate..
> Which is quite stupid, because it they have a user that is usually on
> site B it will first try to contact a DC from site B and if he is
> currently in site A then the DC will politely indicate to the computer
> to contact a DC from site A instead.
Yeah, I know. I don't know why customers do stupid things :-)
Anyway, I looked at the code some more and it looks like we don't have
our private krb5.conf file ready when we try to do the first
authentication.
However, once that file exists, we can set the KRB5_CONFIG environment
var to point to it and the second attempt to join will likely work.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list