[Samba] ldap+kerberos+samba

[Andrew Bartlett]

On Mon, 2013-02-18 at 16:52 -0300, Friedrich Locke wrote:
> Dear list members,
> 
> i am trying to get ldap + samba + kerberos working and have tried to
> make the proper configuration.
> Integrating samba + ldap was pretty easy, but getting kerberos to work
> seems a nightmare.
> 
> Here it is what i tried (copy and pasted from my link client):
> 
> harley at 802-1x:/etc/samba$ kdestroy
> harley at 802-1x:/etc/samba$ kinit
> harley at UFV.BR's Password:
> harley at 802-1x:/etc/samba$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
>         Principal: harley at UFV.BR
> 
>   Issued                Expires               Principal
> Feb 18 15:53:33 2013  Feb 18 19:53:33 2013  krbtgt/UFV.BR at UFV.BR
> harley at 802-1x:/etc/samba$ smbclient //802-1x.cpd.ufv.br/printers -k
> session setup failed: NT_STATUS_LOGON_FAILURE
> harley at 802-1x:/etc/samba$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
>         Principal: harley at UFV.BR
> 
>   Issued                Expires               Principal
> Feb 18 15:53:33 2013  Feb 18 19:53:33 2013  krbtgt/UFV.BR at UFV.BR
> Feb 18 15:53:44 2013  Feb 18 19:53:33 2013  cifs/802-1x.cpd.ufv.br at UFV.BR
> harley at 802-1x:/etc/samba$
> 
> 
> 
> We can realize that smbclient is fetching the ticket to cifs service.
> But why NT_STATUS_LOGON_FAILURE ?
> Nothing appears on smbd logs.

How is samba connected to the krb5 realm?  What configuration options
have you set to make it use a keytab?  

That all said, this kind of frustration is why I worked so hard on Samba
4.0 as an AD DC, because it provides the server-side integration of
LDAP, Kerberos and the Domain protocols that allow Samba and windows
member servers to join it, and for it to 'just work'.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org