Axel Suppantschitsch
2003-Sep-08 13:26 UTC
[Samba] MIT Kerberos 5 won't work with latest Samba 3.0.0cvs
As I learned from former threads, "net ads join" should not only join the Samba server to ADS, but also create Kerberos 5 credentials on the Linux box running Samba 3.0. Well, thanks Jerry joining the Samba 3.0 to ADS works now, but I won't get any Kerberos 5 credentials. winbindd throws errors because of missing Kerberos credentials. Kerberos 5 support is copiled into my samba binaries. I'm using following RPMs of MIT Kerberos 5: krb5-workstation-1.2.7-14 pam_krb5-1.60-1 krb5-devel-1.2.7-14 krb5-server-1.2.7-14 krb5-libs-1.2.7-14 Kerberos 5 is working like a charm with my Windows 2003 Server: *** SNIP *** [root@samba30srv source]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@samba30srv source]# kinit Administrator@SAMBA30.TEST Password for Administrator@SAMBA30.TEST: [root@samba30srv source]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@SAMBA30.TEST Valid starting Expires Service principal 09/08/03 14:59:09 09/09/03 00:59:09 krbtgt/SAMBA30.TEST@SAMBA30.TEST Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@samba30srv source]# kdestroy [root@samba30srv source]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@samba30srv source]# *** SNAP *** If I now join my Samba 30 Server to my Windows 2003 ADS, I won't get any credentials: *** SNIP *** [root@samba30srv x]# net ads join -U Administrator -d3 [2003/09/08 15:15:16, 3] param/loadparm.c:lp_load(3914) lp_load: refreshing parameters [2003/09/08 15:15:16, 3] param/loadparm.c:init_globals(1300) Initialising global parameters [2003/09/08 15:15:17, 3] param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2003/09/08 15:15:17, 3] param/loadparm.c:do_section(3417) Processing section "[global]" [2003/09/08 15:15:17, 2] lib/interface.c:add_interface(79) added interface ip=192.168.0.201 bcast=192.168.0.255 nmask=255.255.255.0 Administrator password: [2003/09/08 15:15:27, 3] libads/ldap.c:ads_connect(218) Connected to LDAP server 192.168.0.200 [2003/09/08 15:15:27, 3] libads/ldap.c:ads_server_info(1877) got ldap server name win2003srv@SAMBA30.TEST, using bind path: dc=SAMBA30,dc=TEST [2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184) got OID=1 2 840 48018 1 2 2 [2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184) got OID=1 2 840 113554 1 2 2 [2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184) got OID=1 2 840 113554 1 2 2 3 [2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184) got OID=1 3 6 1 4 1 311 2 2 10 [2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(191) got principal=win2003srv$@SAMBA30.TEST [2003/09/08 15:15:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found) [2003/09/08 15:15:27, 3] libads/ldap.c:ads_workgroup_name(1969) Found alternate name 'SAMBA30' for realm 'SAMBA30.TEST' Using short domain name -- SAMBA30 Joined 'SAMBA30SRV' to realm 'SAMBA30.TEST' [2003/09/08 15:15:27, 2] utils/net.c:main(758) return code = 0 [root@samba30srv source]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@samba30srv source]# *** SNAP *** Of course, winbindd throws errors without Kerberos 5 credentials: *** SNIP *** [2003/09/08 11:43:59, 1] nsswitch/winbindd_util.c:add_trusted_domain(149) Added domain SAMBA30 SAMBA30.TEST [2003/09/08 11:43:59, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found) *** SNAP *** Any suggestions? Cheers, Axel.
Apparently Analagous Threads
- Error on joining a Windows 2003 ADS domain with Samba 3.0 Beta 3
- Samba 3.0.0 Beta 3: "krb5_cc_get_principal failed" but "Join to realm" successful?
- Samba 3.0.0 RC1: Unable to find a suitable server
- Centos 3.5/Debian 3.1 - Join to ADS (2003+SP1 mixed) Hang Forever
- Getting ads_connect: Strong authentication required when doing ne t ads join