samba - Aug 2006 - Joined 2 samba servers to ADS but kinit in winbindd failed for one of them!

Hi All,
 
I have strange situation in which two systems running SAMBA (same
version) have successfully joined an ADS.
 
However one has no problem using wimbindd/ wbinfo to communicate with
the domain and kinit in winbindd works fine.
 
But the other is failing with a kinit problem as following:
 
2006/08/21 20:15:56, 0, pid=19247]
libads/kerberos.c:ads_kinit_password(146) 

kerberos_kinit_password host/XXX@YYY.NET <mailto:host/XXX@YYY.NET>
failed: Client not found in Kerberos database

[2006/08/21 20:15:56, 1, pid=19247]
nsswitch/winbindd_ads.c:ads_cached_connection(81)

ads_connect for domain YYY failed: Client not found in Kerberos database

[2006/08/21 20:15:56, 5, pid=19247]
nsswitch/winbindd_util.c:add_trusted_domains(202)

Now, when I issue "net ads status" on both SAMBA systems I see the
following.
 
On the Machine that has no problem with kinit winbindd:
userPrincipalName: HOST/banpfs01@YYY.NET <mailto:HOST/banpfs01@YYY.NET> 
And 
operatingSystem: Samba
 
On the Machine that has problem with kinit in winbindd:
servicePrincipalName: HOST/sjcpnas03.yyy.net
servicePrincipalName: HOST/SJCPNAS03
No info on operatingSystem.
 
So I underhand why kinit is failing, (because there is no
userPrincipalName) but why?
Why net ads join was successful and on the other hand there is no
userPrincipalName.
Where servicePrincipalName are coming from?
 
I would appreciate if anyone has an idea how two identical system comes
up on the AD differently.
 
In both systems, the computer account was created on the AD at the same
OU.
 
I'll be happy to update you if I find any answer.
 
 
Cheers,
Ephi

Ephi,

Can you please supply the smb.conf and krb5.conf from both machines,
this looks like a Unix end (i.e. client of AD) problem at first glance.
Also, if you have an LDAP browser see what has been set on the computer
accounts objects in the AD, rather than the sanitised version you see
through ADUC.

Howard.

-----Original Message-----
From: samba-bounces+howard=cohtech.com@lists.samba.org
[mailto:samba-bounces+howard=cohtech.com@lists.samba.org] On Behalf Of
Ephi Dror
Sent: 24 August 2006 20:25
To: samba@lists.samba.org
Subject: [Samba] Joined 2 samba servers to ADS but kinit in winbindd
failedfor one of them!

Hi All,
 
I have strange situation in which two systems running SAMBA (same
version) have successfully joined an ADS.
 
However one has no problem using wimbindd/ wbinfo to communicate with
the domain and kinit in winbindd works fine.
 
But the other is failing with a kinit problem as following:
 
2006/08/21 20:15:56, 0, pid=19247]
libads/kerberos.c:ads_kinit_password(146) 

kerberos_kinit_password host/XXX@YYY.NET <mailto:host/XXX@YYY.NET>
failed: Client not found in Kerberos database

[2006/08/21 20:15:56, 1, pid=19247]
nsswitch/winbindd_ads.c:ads_cached_connection(81)

ads_connect for domain YYY failed: Client not found in Kerberos database

[2006/08/21 20:15:56, 5, pid=19247]
nsswitch/winbindd_util.c:add_trusted_domains(202)

Now, when I issue "net ads status" on both SAMBA systems I see the
following.
 
On the Machine that has no problem with kinit winbindd:
userPrincipalName: HOST/banpfs01@YYY.NET <mailto:HOST/banpfs01@YYY.NET>
And
operatingSystem: Samba
 
On the Machine that has problem with kinit in winbindd:
servicePrincipalName: HOST/sjcpnas03.yyy.net
servicePrincipalName: HOST/SJCPNAS03
No info on operatingSystem.
 
So I underhand why kinit is failing, (because there is no
userPrincipalName) but why?
Why net ads join was successful and on the other hand there is no
userPrincipalName.
Where servicePrincipalName are coming from?
 
I would appreciate if anyone has an idea how two identical system comes
up on the AD differently.
 
In both systems, the computer account was created on the AD at the same
OU.
 
I'll be happy to update you if I find any answer.
 
 
Cheers,
Ephi
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba