[Samba] Samba 4 and GSSAPI kerberos ldap connect

steve steve at steve-ss.com
Thu Jan 19 12:00:22 MST 2012

On 19/01/12 19:11, steve wrote:
> http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#badpass
> I'm working as client and host on the same box here. Could this be the 
> cause of the
> Decrypt integrity check failed
> ??
> Cheers
> Steve
Just to confirm:

samba-tool spn delete host
samba-tool spn add ldap/hh3.site host-account
samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site

kinit host-account
chmod 0644 /tmp/krb500_0

rcnslcd restart

samba gives:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-account at HH3.SITE from ipv4: for 
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-19T19:49:59 starttime: 
2012-01-19T19:51:33 endtime: 2012-01-20T05:49:59 renew till: 
GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed
Terminating connection - 'ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

The key in the keytab is not the same as the key in the KDC

If we can answer that, we're there.

More information about the samba mailing list