[Samba] Issue with joing to ADS2003 domain
Brian O'Mahony
brian.omahony at curamsoftware.com
Thu Oct 27 09:15:50 MDT 2011
I have set up LDAP/KRB5 access to my active directory network.
If I do a getent passwd, I see the users with a unix UID/GID.
If use kinit, I can get a token.
If I su to a user, it creates a home folder, and shows correct IDs etc.
However the machine will not log in via ssh or the GUI. In secure I see:
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: ccache dir: /tmp
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: keytab: FILE:/etc/krb5.keytab
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: called to authenticate 'ipillion', realm 'MYDOMAIN.COM'
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipillion at MYDOMAIN.COM'
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: trying previously-entered password for 'ipillion', allowing libkrb5 to prompt for more
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipillion at MYDOMAIN.COM' to 'krbtgt/MYDOMAIN.COM at MYDOMAIN.COM'
Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: krb5_get_init_creds_password(krbtgt/MYDOMAIN.COM at MYDOMAIN.COM) returned 0 (Success)
Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: validating credentials
Oct 27 11:15:16 rhelads sshd[4190]: pam_krb5[4190]: error guessing name of local host principal
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: TGT failed verification using keytab: Hostname cannot be canonicalized
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: got result 0 (Success)
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: authentication fails for 'ipillion' (ipillion at MYDOMAIN.COM): Authentication failure (Success)
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: pam_authenticate returning 7 (Authentication failure)
Oct 27 11:15:38 rhelads sshd[4190]: Failed password for ipillion from 172.16.165.122 port 57518 ssh2
Oct 27 11:15:40 rhelads sshd[4193]: Connection closed by 172.16.165.122
So I try to join the machine to the domain:
libads/sasl.c:ads_sasl_spengo_bind(819)
kinit suceeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials
My smb.conf is here:
[global]
workgroup = ITD2
realm = mydomain.com
security = ads
user kerberos keytab = true
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. If you are not the intended
addressee please contact the sender and dispose of this e-mail. Thank you.
More information about the samba
mailing list