[Samba] ldapsearch -> samba4

Steve Thompson smt at vgersoft.com
Mon Aug 13 14:19:46 MDT 2012 

Samba 4.0.0beta4, CentOS 6.3 (openldap 2.4.23-26.el6), samba-generated 
krb5.conf.

I have joined a Linux client to the samba4 domain and extracted the 
kerberos5 keytab (using "kerberos method = system keytab"):

 	# kinit Administrator (succeeds)
 	# net ads join createupn=host/<client.fqdn>@REALM -k (succeeds)
 	# net ads keytab create (succeeds)
 	# net ads testjoin (is OK)
 	# kdestroy
 	# kinit -k -t /etc/krb5.keytab (succeeds)

The userPrincipalName in the client's record on the DC is correct.

The results of an ldapsearch against the DC are not consistent:

 	# ldapsearch -H ldap://<dc-server> cn=<client-short-name>

always works, but with -N added it does the following:

* about 10% of the time it works perfectly;

* about 60% of the time it fails with:

 	ldap_sasl_interactive_bind_s: Invalid credentials (49)
 		additional info: SASL:[GSSAPI]: NT_STATUS_LOGON_FAILURE

* about 30% of the time it fails with:

 	ldap_sasl_interactive_bind_s: Local error (-2)
 		additional info: SASL(-1): generic failure: GSSAPI Error: An
 		invalid name was supplied (Unknown error)

while if the ldapsearch is performed on the DC itself, it fails 100% of 
the time (again, only with -N):

 	ldap_sasl_interactive_bind_s: Local error (-2)
 		additional info: SASL(-1): generic failure: GSSAPI Error:
 		Unspecified GSS failure.  Minor code may provide more information (Server
 		not found in Kerberos database)

The DNS looks fine to me; an "nslookup samba-domain.foo.bar" returns the 
IP addresses of the three DC's, but a reverse lookup of those IP's returns 
the DC's host names and not the domain name. These DNS entries are under 
control of Samba of course (except for the reverse DNS entries, which 
Samba does not create), but I don't know if this is what is playing havoc 
with Kerberos on the client.

Anyone know what is wrong? I am going blue in the face looking at this.

Steve
-- 
----------------------------------------------------------------------------
Steve Thompson                 E-mail:      smt AT vgersoft DOT com
Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
39 Smugglers Path              VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
   "186,282 miles per second: it's not just a good idea, it's the law"
----------------------------------------------------------------------------

More information about the samba mailing list