I 've spent the last week troubleshooting a configuration issue regarding samba not being able to connect to other domains beside the domain of which it 's a member server (samba 3.0.14a, krb 1.3.6, w2k). I have some doubts perhaps someone can answer... Suppose this scenario: Samba name : SAMBA Main domain: DOMAINA (domain controller = DCA) Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC) 1) When samba tries to connect via kerberos to others domains, which principal is supposed to use? I 'd think it is SAMBA$@DOMAINA. What I see is that it first connects via LDAP using this machine account but then tries to connect via kerberos with DCB$@DOMAINB or DCC$@DOMAINC. Is this correct or I am not understanding the logfiles correctly? 2) Is wbinfo --set-auth-user still needed? I 'm not using it because I read somewhere that with 3.0+ is not needed anymore. 3) My krb5.conf doesn 't contain any references to servers. All it contains is dns_lookup_realm=true, dns_lookup_kdc=true and default_realm=XXXXX. Do I need anything specific or current krb5 can obtain everything it needs from the DNS? 4) Do I need to do the ktpass thing at the windows DC? Documentation doesn 't say I should, but I keep reading in the web examples of importing the data into the keytab. Thanks. I 've already posted some days my log files trying to find some specific help but probable my post was too unnecesary complicated. Perhaps if anyone can answer this more-generic questions I can advance a step in the resolution of the problem. Regards, Martin -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 marpon@marpon.com.ar wrote: | I 've spent the last week troubleshooting a configuration issue regarding | samba not being able to connect to other domains beside the domain of which | it 's a member server (samba 3.0.14a, krb 1.3.6, w2k). | | I have some doubts perhaps someone can answer... | | Suppose this scenario: | | Samba name : SAMBA | Main domain: DOMAINA (domain controller = DCA) | Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC) | | | 1) When samba tries to connect via kerberos to others | domains, which principal is supposed to use? I 'd think | it is SAMBA$@DOMAINA. What I see is that it first connects | via LDAP using this machine account but then tries to connect | via kerberos with DCB$@DOMAINB or DCC$@DOMAINC. Is this | correct or I am not understanding the logfiles correctly? It should be obtaining a service for DCC$@DOMAINC. That's probably what you are seeing. | 2) Is wbinfo --set-auth-user still needed? I 'm not using | it because I read somewhere that with 3.0+ is not needed | anymore. Generally it is not needed. Certainly not when all the domains are AD and the Samba host is configured with 'security = ads'. | 3) My krb5.conf doesn 't contain any references to | servers. All it contains is dns_lookup_realm=true, | dns_lookup_kdc=true and default_realm=XXXXX. Do I | need anything specific or current krb5 can obtain everything | it needs from the DNS? DNS is fine. That's how I run. Make sure that the appropriate SRV records are in DNS though. | 4) Do I need to do the ktpass thing at the windows DC? Nope. It is all handled by the AD trusts. Hope this helps. cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCy9eZIR7qMdg1EfYRAqisAJ9rX1cPqnc6nFsiaOrWlzdpySPThgCg5Sr8 WYhFbq5OfcZc37LNf/Nva+U=ESfW -----END PGP SIGNATURE-----
Thanks Jerry, that 's very useful information. The particular problem I am facing is that when samba tries to connect to another domain, kerberos can 't find the principal, as in this example: libads/sasl.c:ads_sasl_spnego_bind(211) ads_sasl_spnego_bind: got server principal name =sarswdc3$@SIDERAR.TECHINT.NET libsmb/clikrb5.c:ads_krb5_mk_req(389) ads_krb5_mk_req: krb5_get_credentials failed for sarswdc3$@SIDERAR.TECHINT.NET (Server not found in Kerberos database) nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain SIDERAR failed: Server not found in Kerberos database What I understand is that the principal sarswdc3$ doesn 't exist. If I try to kinit sardwdc3$@SIDERAR.TECHINT.NET it consecuentelly fails. The thing I don 't understand is why if I kinit sardwdc3@SIDERAR.TECHINT.NET (note the abscense of the dollar sign) it finds it (I mean, it prompts for a password). Any ideas I can try or anything further I can watch? Best regards, Martin -- Martin arpon Original Message: ----------------- From: Gerald (Jerry) Carter jerry@samba.org Date: Wed, 06 Jul 2005 08:07:38 -0500 To: marpon@marpon.com.ar, samba@lists.samba.org Subject: Re: [Samba] Questions regarding ADS marpon@marpon.com.ar wrote: | I 've spent the last week troubleshooting a configuration issue regarding | samba not being able to connect to other domains beside the domain of which | it 's a member server (samba 3.0.14a, krb 1.3.6, w2k). | | I have some doubts perhaps someone can answer... | | Suppose this scenario: | | Samba name : SAMBA | Main domain: DOMAINA (domain controller = DCA) | Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC) | | | 1) When samba tries to connect via kerberos to others | domains, which principal is supposed to use? I 'd think | it is SAMBA$@DOMAINA. What I see is that it first connects | via LDAP using this machine account but then tries to connect | via kerberos with DCB$@DOMAINB or DCC$@DOMAINC. Is this | correct or I am not understanding the logfiles correctly? It should be obtaining a service for DCC$@DOMAINC. That's probably what you are seeing. | 2) Is wbinfo --set-auth-user still needed? I 'm not using | it because I read somewhere that with 3.0+ is not needed | anymore. Generally it is not needed. Certainly not when all the domains are AD and the Samba host is configured with 'security = ads'. | 3) My krb5.conf doesn 't contain any references to | servers. All it contains is dns_lookup_realm=true, | dns_lookup_kdc=true and default_realm=XXXXX. Do I | need anything specific or current krb5 can obtain everything | it needs from the DNS? DNS is fine. That's how I run. Make sure that the appropriate SRV records are in DNS though. | 4) Do I need to do the ktpass thing at the windows DC? Nope. It is all handled by the AD trusts. Hope this helps. cheers, jerry -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
Possibly Parallel Threads
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Winbind authentication from different domain not working
- Winbind authentication from different domain not working