[Samba] Questions regarding ADS
marpon at marpon.com.ar
marpon at marpon.com.ar
Wed Jul 6 13:24:15 GMT 2005
Thanks Jerry, that 's very useful information.
The particular problem I am facing is that when samba tries to connect to
another domain, kerberos can 't find the principal, as in this example:
libads/sasl.c:ads_sasl_spnego_bind(211)
ads_sasl_spnego_bind: got server principal name
=sarswdc3$@SIDERAR.TECHINT.NET
libsmb/clikrb5.c:ads_krb5_mk_req(389)
ads_krb5_mk_req: krb5_get_credentials failed for
sarswdc3$@SIDERAR.TECHINT.NET (Server not found in Kerberos database)
nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain SIDERAR failed: Server not found in Kerberos
database
What I understand is that the principal sarswdc3$ doesn 't exist. If I try
to kinit sardwdc3$@SIDERAR.TECHINT.NET it consecuentelly fails. The thing I
don 't understand is why if I kinit sardwdc3 at SIDERAR.TECHINT.NET (note the
abscense of the dollar sign) it finds it (I mean, it prompts for a
password).
Any ideas I can try or anything further I can watch?
Best regards,
Martin
--
Martin arpon
Original Message:
-----------------
From: Gerald (Jerry) Carter jerry at samba.org
Date: Wed, 06 Jul 2005 08:07:38 -0500
To: marpon at marpon.com.ar, samba at lists.samba.org
Subject: Re: [Samba] Questions regarding ADS
marpon at marpon.com.ar wrote:
| I 've spent the last week troubleshooting a configuration issue regarding
| samba not being able to connect to other domains beside the domain of
which
| it 's a member server (samba 3.0.14a, krb 1.3.6, w2k).
|
| I have some doubts perhaps someone can answer...
|
| Suppose this scenario:
|
| Samba name : SAMBA
| Main domain: DOMAINA (domain controller = DCA)
| Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC)
|
|
| 1) When samba tries to connect via kerberos to others
| domains, which principal is supposed to use? I 'd think
| it is SAMBA$@DOMAINA. What I see is that it first connects
| via LDAP using this machine account but then tries to connect
| via kerberos with DCB$@DOMAINB or DCC$@DOMAINC. Is this
| correct or I am not understanding the logfiles correctly?
It should be obtaining a service for DCC$@DOMAINC. That's
probably what you are seeing.
| 2) Is wbinfo --set-auth-user still needed? I 'm not using
| it because I read somewhere that with 3.0+ is not needed
| anymore.
Generally it is not needed. Certainly not when all the
domains are AD and the Samba host is configured with
'security = ads'.
| 3) My krb5.conf doesn 't contain any references to
| servers. All it contains is dns_lookup_realm=true,
| dns_lookup_kdc=true and default_realm=XXXXX. Do I
| need anything specific or current krb5 can obtain everything
| it needs from the DNS?
DNS is fine. That's how I run. Make sure that the appropriate
SRV records are in DNS though.
| 4) Do I need to do the ktpass thing at the windows DC?
Nope. It is all handled by the AD trusts.
Hope this helps.
cheers, jerry
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
More information about the samba
mailing list