I suspect I might be grossly misunderstanding kerberos and AD here, but I cant seem to grok the following. net ads join integrates my linux samba server (named foundry) into an AD domain and all works fine. The samba server is using the kerberos keytab. root@foundry:~ # kinit -k -t /etc/krb5.keytab foundry$ root@foundry:~ # kinit -k -t /etc/krb5.keytab host/foundry.example.local kinit(v5): Client not found in Kerberos database while getting initial credentials Why can't kinit find the service host/foundry.example.local in the AD Kerberos database? It seems to be in the local linux server keylist: root@foundry:~ # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/foundry.example.local@EXAMPLE.LOCAL 2 host/foundry.example.local@EXAMPLE.LOCAL .... cut ... What am I missing here? Thanks, Bradley
Hi, try net ads join createupn=host/foundry.example.local - Mark On Tue, Feb 20, 2007 at 05:57:47PM +1000, Bradley Schatz wrote:> I suspect I might be grossly misunderstanding kerberos and AD here, but I > cant seem to grok the following. > > net ads join integrates my linux samba server (named foundry) into an AD > domain and all works fine. The samba server is using the kerberos keytab. > > root@foundry:~ # kinit -k -t /etc/krb5.keytab foundry$ > root@foundry:~ # kinit -k -t /etc/krb5.keytab host/foundry.example.local > kinit(v5): Client not found in Kerberos database while getting initial > credentials > > Why can't kinit find the service host/foundry.example.local in the AD > Kerberos database? It seems to be in the local linux server keylist: > > root@foundry:~ # klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 host/foundry.example.local@EXAMPLE.LOCAL > 2 host/foundry.example.local@EXAMPLE.LOCAL > .... cut ... > > What am I missing here? > > Thanks, > > Bradley
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Proehl wrote:> Hi, > > try > > net ads join createupn=host/foundry.example.localOr just "kinit -k foundry$" You can only gain a TGT using a UPN or sAMAccountame. By default, computers do not have a user printcipal name. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF2yPHIR7qMdg1EfYRArjlAJ9alfqRIgDclijXY+kxfBpb041/lgCgpLlk WStR7FHeIrpL4Fm86YX4bcw=epof -----END PGP SIGNATURE-----