Wayne Rasmussen
2007-Jun-03 22:58 UTC
FW: [Samba] Followup Restricting to a subset of the domain controllers on a site
-----Original Message----- From: Wayne Rasmussen Sent: Friday, June 01, 2007 11:01 AM To: 'Gerald (Jerry) Carter' Subject: RE: [Samba] Followup Restricting to a subset of the domain controllers on a site Noticed a couple of changes with Samba-3.0.25 and wondered if I am doing something wrong or if it is a side-effect. attached three files: smb.conf, samba-3.0.10.log, samba-3.0.25.log Compiled the new samba-3.0.25 release to replace our previous samba-3.0.10 on a Solaris 9 server. The AD Domain Controller is a Windows 2000 system and is on my test lab. Testing it before putting it in the production environment. Our samba startup scripts basically run as follows: /usr/local/bin/kinit stevelongname@ADTEST.COM < /etc/DII.kinitkey #where /etc/DII.kinitkey is the password for stevelongname@ADTEST.COM #we can't get a keytab file in the real world situation. /usr/local/samba/bin/net ads join /usr/sfw/sbin/smbd -D /usr/sfw/sbin/nmbd -D /usr/local/samba/sbin/winbindd -B We have been using the above proceedure for 3+ years. Problems/Issues: #1) With Samba-3.0.25, when /usr/local/samba/bin/net ads join runs we are now getting a prompt for a password. This can be seen in the file samba-3.0.25.log as: Password for stevelongname@ADTEST.COM: Password: If I type in the password for stevelongname@ADTEST.COM, we get the following error message: [2007/05/31 14:00:02, 0] libsmb/cliconnect.c:cli_session_setup_spnego(853) Kinit failed: Client not found in Kerberos database Failed to join domain: Improperly formed account name If I just hit return it continues. This is what I did in the samba-3.0.25.log. Any ideas why this happens now? #2) klist shows a difference between samba-3.0.10 and samba-3.0.25. Samba-3.0.10 has the following: Valid starting Expires Service principal 05/30/07 19:20:14 05/31/07 05:20:14 krbtgt/ADTEST.COM@ADTEST.COM renew until 05/31/07 19:20:14 05/30/07 19:20:14 05/31/07 05:20:14 adtestserver01$@ADTEST.COM renew until 05/31/07 19:20:14 05/30/07 19:20:14 05/31/07 05:20:14 kadmin/changepw@ADTEST.COM renew until 05/31/07 19:20:14 Samba-3.0.25 has the following: Valid starting Expires Service principal 05/31/07 13:38:31 05/31/07 23:38:31 krbtgt/ADTEST.COM@ADTEST.COM renew until 06/01/07 13:38:31 05/31/07 13:38:32 05/31/07 23:38:31 adtestserver01$@ADTEST.COM renew until 06/01/07 13:38:31 Does this matter? is kadmin/changepw@ADTEST.COM required? Thank you for your time and effort on this! Wayne
Gerald (Jerry) Carter
2007-Jun-04 16:20 UTC
FW: [Samba] Followup Restricting to a subset of the domain controllers on a site
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wayne Rasmussen wrote:> > #1) With Samba-3.0.25, when /usr/local/samba/bin/net ads > join runs we are now getting a prompt for a password. > This can be seen in the file samba-3.0.25.log as: > Password for stevelongname@ADTEST.COM: > Password: > > If I type in the password for stevelongname@ADTEST.COM, we get the > following > error message: > [2007/05/31 14:00:02, 0] > libsmb/cliconnect.c:cli_session_setup_spnego(853) > Kinit failed: Client not found in Kerberos database > Failed to join domain: Improperly formed account nameFile a bug for me. This is probably mine.> #2) klist shows a difference between samba-3.0.10 and samba-3.0.25. > > Samba-3.0.10 has the following: > Valid starting Expires Service principal > 05/30/07 19:20:14 05/31/07 05:20:14 krbtgt/ADTEST.COM@ADTEST.COM > renew until 05/31/07 19:20:14 > 05/30/07 19:20:14 05/31/07 05:20:14 adtestserver01$@ADTEST.COM > renew until 05/31/07 19:20:14 > 05/30/07 19:20:14 05/31/07 05:20:14 kadmin/changepw@ADTEST.COM > renew until 05/31/07 19:20:14 > > Samba-3.0.25 has the following: > Valid starting Expires Service principal > 05/31/07 13:38:31 05/31/07 23:38:31 krbtgt/ADTEST.COM@ADTEST.COM > renew until 06/01/07 13:38:31 > 05/31/07 13:38:32 05/31/07 23:38:31 adtestserver01$@ADTEST.COM > renew until 06/01/07 13:38:31 > > Does this matter? is kadmin/changepw@ADTEST.COM required?The list of tickets is fine. The join procedure change in 3.0.23 or so IIRC - -- cheers, jerry ====================================================================Samba ------- samba.org Centeris ----------- centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - enigmail.mozdev.org iD8DBQFGZDvbIR7qMdg1EfYRAvh4AKDBjN4ngREi7SW9Mho2e+++ZH0jzgCg9GTC czviVamdY8FNBAhgr+2XlBM=Vknt -----END PGP SIGNATURE-----
Reasonably Related Threads
- winbind: homeDirectory being ignored
- NIS extensions - only 3 of 55 entries present
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
- 4.4.3 on CentOS 6: no guest login
- Automatically assigning uidNumber / gidNumber attributes