[Samba] Joined 2 samba servers to ADS but kinit in winbindd failedfor one of them!

Howard Wilkinson howard at cohtech.com
Thu Aug 24 21:51:07 GMT 2006 

Ephi,

Can you please supply the smb.conf and krb5.conf from both machines,
this looks like a Unix end (i.e. client of AD) problem at first glance.
Also, if you have an LDAP browser see what has been set on the computer
accounts objects in the AD, rather than the sanitised version you see
through ADUC.

Howard.

-----Original Message-----
From: samba-bounces+howard=cohtech.com at lists.samba.org
[mailto:samba-bounces+howard=cohtech.com at lists.samba.org] On Behalf Of
Ephi Dror
Sent: 24 August 2006 20:25
To: samba at lists.samba.org
Subject: [Samba] Joined 2 samba servers to ADS but kinit in winbindd
failedfor one of them!

Hi All,
 
I have strange situation in which two systems running SAMBA (same
version) have successfully joined an ADS.
 
However one has no problem using wimbindd/ wbinfo to communicate with
the domain and kinit in winbindd works fine.
 
But the other is failing with a kinit problem as following:
 
2006/08/21 20:15:56, 0, pid=19247]
libads/kerberos.c:ads_kinit_password(146) 

kerberos_kinit_password host/XXX at YYY.NET <mailto:host/XXX at YYY.NET>
failed: Client not found in Kerberos database

[2006/08/21 20:15:56, 1, pid=19247]
nsswitch/winbindd_ads.c:ads_cached_connection(81)

ads_connect for domain YYY failed: Client not found in Kerberos database

[2006/08/21 20:15:56, 5, pid=19247]
nsswitch/winbindd_util.c:add_trusted_domains(202)

Now, when I issue "net ads status" on both SAMBA systems I see the
following.
 
On the Machine that has no problem with kinit winbindd:
userPrincipalName: HOST/banpfs01 at YYY.NET <mailto:HOST/banpfs01 at YYY.NET>
And
operatingSystem: Samba
 
On the Machine that has problem with kinit in winbindd:
servicePrincipalName: HOST/sjcpnas03.yyy.net
servicePrincipalName: HOST/SJCPNAS03
No info on operatingSystem.
 
So I underhand why kinit is failing, (because there is no
userPrincipalName) but why?
Why net ads join was successful and on the other hand there is no
userPrincipalName.
Where servicePrincipalName are coming from?
 
I would appreciate if anyone has an idea how two identical system comes
up on the AD differently.
 
In both systems, the computer account was created on the AD at the same
OU.
 
I'll be happy to update you if I find any answer.
 
 
Cheers,
Ephi
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list