[Samba] MIT Kerberos 5 won't work with latest Samba 3.0.0cvs

Axel Suppantschitsch as at suit.at
Mon Sep 8 13:26:43 GMT 2003


As I learned from former threads, "net ads join" should not only join the Samba
server to ADS, but also create Kerberos 5 credentials on the Linux box running
Samba 3.0.

Well, thanks Jerry joining the Samba 3.0 to ADS works now, but I won't get any
Kerberos 5 credentials. winbindd throws errors because of missing Kerberos
credentials.

Kerberos 5 support is copiled into my samba binaries. I'm using following RPMs
of MIT Kerberos 5:

krb5-workstation-1.2.7-14
pam_krb5-1.60-1
krb5-devel-1.2.7-14
krb5-server-1.2.7-14
krb5-libs-1.2.7-14

Kerberos 5 is working like a charm with my Windows 2003 Server:

*** SNIP ***
[root at samba30srv source]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at samba30srv source]# kinit Administrator at SAMBA30.TEST
Password for Administrator at SAMBA30.TEST:
[root at samba30srv source]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SAMBA30.TEST

Valid starting     Expires            Service principal
09/08/03 14:59:09  09/09/03 00:59:09  krbtgt/SAMBA30.TEST at SAMBA30.TEST


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at samba30srv source]# kdestroy
[root at samba30srv source]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at samba30srv source]#
*** SNAP ***

If I now join my Samba 30 Server to my Windows 2003 ADS, I won't get any
credentials:

*** SNIP ***
[root at samba30srv x]# net ads join -U Administrator -d3
[2003/09/08 15:15:16, 3] param/loadparm.c:lp_load(3914)
  lp_load: refreshing parameters
[2003/09/08 15:15:16, 3] param/loadparm.c:init_globals(1300)
  Initialising global parameters
[2003/09/08 15:15:17, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2003/09/08 15:15:17, 3] param/loadparm.c:do_section(3417)
  Processing section "[global]"
[2003/09/08 15:15:17, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.0.201 bcast=192.168.0.255 nmask=255.255.255.0
Administrator password:
[2003/09/08 15:15:27, 3] libads/ldap.c:ads_connect(218)
  Connected to LDAP server 192.168.0.200
[2003/09/08 15:15:27, 3] libads/ldap.c:ads_server_info(1877)
  got ldap server name win2003srv at SAMBA30.TEST, using bind path:
dc=SAMBA30,dc=TEST
[2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
  got OID=1 2 840 48018 1 2 2
[2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
  got OID=1 2 840 113554 1 2 2
[2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
  got OID=1 2 840 113554 1 2 2 3
[2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
  got OID=1 3 6 1 4 1 311 2 2 10
[2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(191)
  got principal=win2003srv$@SAMBA30.TEST
[2003/09/08 15:15:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
[2003/09/08 15:15:27, 3] libads/ldap.c:ads_workgroup_name(1969)
  Found alternate name 'SAMBA30' for realm 'SAMBA30.TEST'
Using short domain name -- SAMBA30
Joined 'SAMBA30SRV' to realm 'SAMBA30.TEST'
[2003/09/08 15:15:27, 2] utils/net.c:main(758)
  return code = 0
[root at samba30srv source]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at samba30srv source]#
*** SNAP ***

Of course, winbindd throws errors without Kerberos 5 credentials:

*** SNIP ***
[2003/09/08 11:43:59, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
  Added domain SAMBA30 SAMBA30.TEST
[2003/09/08 11:43:59, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
*** SNAP ***

Any suggestions?

Cheers, Axel.



More information about the samba mailing list