[Samba] Samba 4 and GSSAPI kerberos ldap connect

steve steve at steve-ss.com
Fri Jan 27 00:40:13 MST 2012

On 01/27/2012 05:37 AM, Andrew Bartlett wrote:
> On Sun, 2012-01-22 at 15:32 +0100, steve wrote:
>> even though I've made a ldap/hh3.site principal:
>> hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
>> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
>> --principal=ldap/hh3.site
>> Why do I get the
>> Decrypt integrity check failed
>> error?
> Why do you keep doing this?
> What makes you think this is the right thing to do (so I can correct
> whatever gave you this misconception).
> Samba will not read /etc/ldap.keytab.
> Samba uses the private keytab containing it's own machine account only.
> Samba should not be contacted via the dns domain name, it should be
> contacted by the fully qualified domain name.
> The fact the dns domain name (hh3.site) resolves is an artefact of the
> default AD DNS zone, but should not be used.  If your client uses the
> fully qualified name (dc.hh3.site), it will collect the correct ticket,
> and Samba will decrypt it.
> Thanks,
> Andrew Bartlett

Thanks for pointing this out. It turned out that when I provisioned, I 
had the fqdn wrong. Duh! I set that correctly in /etc/hosts, 
reprovisioned and everything sprang to life. ldapsearch -Y GSSAPI worked 
and I could extract stuff I'd put into the s4 LDAP database so our Linux 
users could connect.

I have still not been able to get winbind nor the fileserver working, so 
I've added nfs4 for the Linux clients and there I did need to add a 
principal for the kerberized nfs, otherwise the nfs server would not 
start. It's a bit of a hack but it's good enough for us at the moment. I 
got around the user id mappings as described here:

Thanks for your time,

More information about the samba mailing list