[Samba] Samba 4 and GSSAPI kerberos ldap connect

steve steve at steve-ss.com
Thu Jan 19 12:00:22 MST 2012


On 19/01/12 19:11, steve wrote:
> http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#badpass
>
> I'm working as client and host on the same box here. Could this be the 
> cause of the
> Decrypt integrity check failed
> ??
>
> Cheers
> Steve
Just to confirm:

samba-tool spn delete host
samba-tool spn add ldap/hh3.site host-account
samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site

kinit host-account
chmod 0644 /tmp/krb500_0

rcnslcd restart

samba gives:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:37883 for 
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-19T19:49:59 starttime: 
2012-01-19T19:51:33 endtime: 2012-01-20T05:49:59 renew till: 
2012-01-20T19:49:55
GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed
Terminating connection - 'ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

The key in the keytab is not the same as the key in the KDC
Why???

If we can answer that, we're there.
Cheers,
Steve


More information about the samba mailing list