[Samba] Questions regarding ADS

marpon at marpon.com.ar marpon at marpon.com.ar
Wed Jul 6 13:24:15 GMT 2005 

Thanks Jerry, that 's very useful information. 

The particular problem I am facing is that when samba tries to connect to
another domain, kerberos can 't find the principal, as in this example: 

libads/sasl.c:ads_sasl_spnego_bind(211)
  ads_sasl_spnego_bind: got server principal name
=sarswdc3$@SIDERAR.TECHINT.NET


libsmb/clikrb5.c:ads_krb5_mk_req(389)
  ads_krb5_mk_req: krb5_get_credentials failed for
sarswdc3$@SIDERAR.TECHINT.NET (Server not found in Kerberos database)


nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain SIDERAR failed: Server not found in Kerberos
database

What I understand is that the principal sarswdc3$ doesn 't exist. If I try
to kinit sardwdc3$@SIDERAR.TECHINT.NET it consecuentelly fails. The thing I
don 't understand is why if I kinit sardwdc3 at SIDERAR.TECHINT.NET (note the
abscense of the dollar sign) it finds it (I mean, it prompts for a
password). 

Any ideas I can try or anything further I can watch? 

Best regards, 

Martin 

-- 
Martin arpon


Original Message:
-----------------
From: Gerald (Jerry) Carter jerry at samba.org
Date: Wed, 06 Jul 2005 08:07:38 -0500
To: marpon at marpon.com.ar, samba at lists.samba.org
Subject: Re: [Samba] Questions regarding ADS

marpon at marpon.com.ar wrote:
| I 've spent the last week troubleshooting a configuration issue regarding
| samba not being able to connect to other domains beside the domain of
which
| it 's a member server (samba 3.0.14a, krb 1.3.6, w2k).
|
| I have some doubts perhaps someone can answer...
|
| Suppose this scenario:
|
| Samba name : SAMBA
| Main domain: DOMAINA (domain controller = DCA)
| Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC)
|
|
| 1) When samba tries to connect via kerberos to others
| domains, which principal is supposed to use? I 'd think
| it is SAMBA$@DOMAINA. What I see is that it first connects
| via LDAP using this machine account but then tries to connect
| via kerberos with DCB$@DOMAINB or DCC$@DOMAINC. Is this
| correct or I am not understanding the logfiles correctly?

It should be obtaining a service for DCC$@DOMAINC.  That's
probably what you are seeing.

| 2) Is wbinfo --set-auth-user still needed? I 'm not using
| it because I read somewhere that with 3.0+ is not needed
| anymore.

Generally it is not needed.  Certainly not when all the
domains are AD and the Samba host is configured with
'security = ads'.

| 3) My krb5.conf doesn 't contain any references to
| servers. All it contains is dns_lookup_realm=true,
| dns_lookup_kdc=true and default_realm=XXXXX. Do I
| need anything specific or current krb5 can obtain everything
| it needs from the DNS?

DNS is fine.  That's how I run.  Make sure that the appropriate
SRV records are in DNS though.

| 4) Do I need to do the ktpass thing at the windows DC?

Nope.  It is all handled by the AD trusts.

Hope this helps.


cheers, jerry


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

More information about the samba mailing list