[Samba] testjoin happy but kerberos broken
Jason Haar
Jason_Haar at trimble.com
Fri Apr 13 23:18:23 MDT 2012
Hi there
I've got a problem CentOS-4.9 Samba server that we have never been able
to join to an existing Win2K3/Win2K8 AD domain correctly. We have before
and since installed Samba successfully on other sites btw. We actually
have 55+ CentOs-4.9 Samba servers world-wide with identical configs -
there's something about this one.
Anyway, "net ads join -Uadmininstrator...." works mostly - but we
continually get
Using short domain name -- DOM
Joined 'HOST-01' to realm 'dom.ain'
[2012/04/14 05:04:15.150928, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password HOST-01$@DOM.AIN failed: Preauthentication failed
You can see Samba says it joined - but it's followed by this kerberos
error. No errors show up in the eventlogs of the DCs (but I do see the
login event), "net ads testjoin" says OK - but no-one can connect to the
shares. Even "wbinfo -u" is weird - it shows the users from *some* of
the trusted domains - but none from the domain the server is a member
of!!! To confirm: "id dom\user" returns "no such user" for any valid
username in the domain that it is a member of. I can kinit user at DOM just
fine and can connect to Windows servers - but I get a kerberos error
when attempting to connect to this Samba server - and as expected it's
unhappy because it can't find the user
I have tried this with several 3.5 releases - including 3.5.14, and have
tried it with 3.6.X too - nothing seems to work. I have used "-S" to
join the domain via DCs in other sites (in case there was some issue
with the local DC) - but it should go without saying that no Windows
client is having any issues - it's just Samba
Any ideas where to look next? The local DC isn't a RODC either (although
it used to be - I forced the Windows guys to upgraded it to a full DC in
an attempt to fix this problem - didn't help)
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the samba
mailing list