[Samba] Samba 4 GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed
steve
steve at steve-ss.com
Thu Jan 19 15:49:31 MST 2012
Hi everyone
I'm using nslcd to connect to Samba 4 LDAP. If I specify the binddn and
bindpw in /etc/nslcd.conf no problem getent passwd works and everything
is mapped just fine.
But when I try try to do a kerberized bind to Samba 4 LDAP, I get this:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:33002 for
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
ldap/hh3.site at HH3.SITE that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:33002
OK fine. So I use samba-tool to make a principal ldap/hh3.site and stick
it in a keytab. I use kinit to get a ticket for the principal holder.
Now that it can find the principal I get this error:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:33982 for
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-19T23:22:44 starttime:
2012-01-19T23:25:59 endtime: 2012-01-20T09:22:44 renew till:
2012-01-20T23:22:38
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
I think that this has something to do with what the KDC has and what the
keytab has. The KDC and the keytab are on the same openSUSE machine.
Deleting the principal brings me back to the first error and recreating
it to the second.
Can any Kerberos gurus help me with this one?
Thanks
Steve
More information about the samba
mailing list