[Samba] Samba 4 and GSSAPI kerberos ldap connect

Andrew Bartlett abartlet at samba.org
Thu Jan 26 21:37:45 MST 2012

On Sun, 2012-01-22 at 15:32 +0100, steve wrote:

> even though I've made a ldap/hh3.site principal:
> hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab 
> --principal=ldap/hh3.site
> Why do I get the
> Decrypt integrity check failed
> error?

Why do you keep doing this?

What makes you think this is the right thing to do (so I can correct
whatever gave you this misconception). 

Samba will not read /etc/ldap.keytab.  

Samba uses the private keytab containing it's own machine account only.
Samba should not be contacted via the dns domain name, it should be
contacted by the fully qualified domain name.  

The fact the dns domain name (hh3.site) resolves is an artefact of the
default AD DNS zone, but should not be used.  If your client uses the
fully qualified name (dc.hh3.site), it will collect the correct ticket,
and Samba will decrypt it.


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list