I'm setting up a Solaris 10 server as a test samba server with AD
authentication. I'm running into a little bit of issue with Kerberos
tickets. The setup is as follows
Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, LDAP
(shipped with the distro) and IMU on windows. My LDAP client is working
good and validates getent passwd <user> and can run ldaplist -l passwd
<user> and ldapsearch, no issues. My ldap autnetication is set to simple,
with proxyDnuser.
On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf,
nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use 'files
ldap'
for both passwd and group and dns files for hosts. On windows the IMU, UNIX
attributes are set to the correct NIS domain.
I ran net ads join to successfully join the Solaris server into the AD,
however net ads keytab create simply returns a new line without any errors.
When I checked on windows, after net ADS join command, I see two service
principals (SPN), the capitalization is intentional as this is how they
appear when I run spnset hostname
HOST/HOSTNAME
HOST/hostname.domain.com (FQDN)
I also setup a service account name (user object) on Windows whose name is
same as the hostname (computer object). I generated the keytab file with
ktpass -princ host/fqdn@REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
I then ftped this file over to Solaris host and try to authenticate a user
login via AD, I get
PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos
database
So, just for the heck of it I generated another krb5.keytab with the
following
ktpass -princ HOST/fqdn@REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
Please note the HOST in capitals. Now, I get this error testing with this
keytab
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
Running PAM in debug mode didn't reveal anything specific other than the
obvious.
I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP servers
return properly. I can add the SPNs forcibly with host/hostname.domain.com
and host/hostname and try different combinations. But..first I need to
understand this behavior, anyone???
