[Samba] Joined 2 samba servers to ADS but kinit in winbindd failedfor one of them!

Gerald (Jerry) Carter jerry at samba.org
Fri Aug 25 20:57:29 GMT 2006

Hash: SHA1

Ephi Dror wrote:

> In particular, of course is the "userPrincipalName" 
> which is used by winbindd.

What version are you running ?  Current versions of winbindd
(3.0.23+) do not use the UPN for obtaining the TGT since we
do not create that attribute by default when joining the
domain any more.  We are only guaranteed that the sAMAccountName
attribute exists.

> As you can see below, one system missing some info and 
> the other system missing other info.
> I quickly used ldapmodify command to add the missing 
> info that I expected SAMBA to do when it joined
> the domain and things started to work as a Swiss Watch.
> I would appreciate if anyone have any idea for the following:
> 1. Why not all attributes SAMBA wanted to add at ads_
> add_machine_acct() was actually added? Was it
> something wrong with my AD?

My guess is that you are working with either an old
machine object or an older version of Samba.  there is
no need for the UPN unles you justr have to 'kinit -k'
working from a keytab file.

> 2. Why I did not get any warning that things were not 
> fully written to AD or not fully at the AD already?

See above.

> 3. Why not failing the join domain if the info is not there, I mean
> winbindd can't possibly continue without for example having
> "userPrincipalName" in the computer object.

Not true.

btw...if you are mising the SPN attribute clients will
never be able to obtain a service ticket for our Samba host.

cheers, jerry
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list