thr3ads.net - samba - FW: [Samba] Followup Restricting to a subset of the domain controllers on a site [Jun 2007]

If this information is useful, please help other people find it:
Share via:

Wayne Rasmussen

2007-Jun-03 22:58 UTC

FW: [Samba] Followup Restricting to a subset of the domain controllers on a site

-----Original Message-----
From: Wayne Rasmussen 
Sent: Friday, June 01, 2007 11:01 AM
To: 'Gerald (Jerry) Carter'
Subject: RE: [Samba] Followup Restricting to a subset of the domain
controllers on a site

Noticed a couple of changes with Samba-3.0.25 and wondered if I am doing
something wrong or if it is a side-effect.
attached three files: smb.conf, samba-3.0.10.log, samba-3.0.25.log

Compiled the new samba-3.0.25 release to replace our previous
samba-3.0.10
on a Solaris 9 server.  The AD Domain Controller is a Windows 2000
system
and is on my test lab.  Testing it before putting it in the production
environment.

Our samba startup scripts basically run as follows:

/usr/local/bin/kinit  stevelongname@ADTEST.COM < /etc/DII.kinitkey
#where /etc/DII.kinitkey is the password for stevelongname@ADTEST.COM
#we can't get a keytab file in the real world situation.
/usr/local/samba/bin/net ads join
/usr/sfw/sbin/smbd -D
/usr/sfw/sbin/nmbd -D
/usr/local/samba/sbin/winbindd -B

We have been using the above proceedure for 3+ years.

Problems/Issues:

#1) With Samba-3.0.25, when /usr/local/samba/bin/net ads join runs we
are now getting a prompt for a password.  This can be seen in the file
samba-3.0.25.log as:
Password for stevelongname@ADTEST.COM:
Password:

If I type in the password for stevelongname@ADTEST.COM, we get the
following
error message: 
[2007/05/31 14:00:02, 0]
libsmb/cliconnect.c:cli_session_setup_spnego(853)
  Kinit failed: Client not found in Kerberos database
Failed to join domain: Improperly formed account name

If I just hit return it continues. This is what I did in the
samba-3.0.25.log.
Any ideas why this happens now?

#2)  klist shows a difference between samba-3.0.10 and samba-3.0.25.

Samba-3.0.10 has the following:
Valid starting     Expires            Service principal
05/30/07 19:20:14  05/31/07 05:20:14  krbtgt/ADTEST.COM@ADTEST.COM
   renew until 05/31/07 19:20:14
05/30/07 19:20:14  05/31/07 05:20:14  adtestserver01$@ADTEST.COM
   renew until 05/31/07 19:20:14
05/30/07 19:20:14  05/31/07 05:20:14  kadmin/changepw@ADTEST.COM
   renew until 05/31/07 19:20:14

Samba-3.0.25 has the following:
Valid starting     Expires            Service principal
05/31/07 13:38:31  05/31/07 23:38:31  krbtgt/ADTEST.COM@ADTEST.COM
   renew until 06/01/07 13:38:31
05/31/07 13:38:32  05/31/07 23:38:31  adtestserver01$@ADTEST.COM
   renew until 06/01/07 13:38:31

Does this matter?  is kadmin/changepw@ADTEST.COM required?

Thank you for your time and effort on this!
Wayne

Gerald (Jerry) Carter

2007-Jun-04 16:20 UTC

head link

FW: [Samba] Followup Restricting to a subset of the domain controllers on a site

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wayne Rasmussen wrote:> 
> #1) With Samba-3.0.25, when /usr/local/samba/bin/net ads 
> join runs we are now getting a prompt for a password.
> This can be seen in the file samba-3.0.25.log as:
> Password for stevelongname@ADTEST.COM:
> Password:
> 
> If I type in the password for stevelongname@ADTEST.COM, we get the
> following
> error message: 
> [2007/05/31 14:00:02, 0]
> libsmb/cliconnect.c:cli_session_setup_spnego(853)
>   Kinit failed: Client not found in Kerberos database
> Failed to join domain: Improperly formed account name
File a bug for me.  This is probably mine.
> #2)  klist shows a difference between samba-3.0.10 and samba-3.0.25.
> 
> Samba-3.0.10 has the following:
> Valid starting     Expires            Service principal
> 05/30/07 19:20:14  05/31/07 05:20:14  krbtgt/ADTEST.COM@ADTEST.COM
>    renew until 05/31/07 19:20:14
> 05/30/07 19:20:14  05/31/07 05:20:14  adtestserver01$@ADTEST.COM
>    renew until 05/31/07 19:20:14
> 05/30/07 19:20:14  05/31/07 05:20:14  kadmin/changepw@ADTEST.COM
>    renew until 05/31/07 19:20:14
> 
> Samba-3.0.25 has the following:
> Valid starting     Expires            Service principal
> 05/31/07 13:38:31  05/31/07 23:38:31  krbtgt/ADTEST.COM@ADTEST.COM
>    renew until 06/01/07 13:38:31
> 05/31/07 13:38:32  05/31/07 23:38:31  adtestserver01$@ADTEST.COM
>    renew until 06/01/07 13:38:31
> 
> Does this matter?  is kadmin/changepw@ADTEST.COM required?
The list of tickets is fine.  The join procedure change in 3.0.23
or so IIRC



- --
cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGZDvbIR7qMdg1EfYRAvh4AKDBjN4ngREi7SW9Mho2e+++ZH0jzgCg9GTC
czviVamdY8FNBAhgr+2XlBM=Vknt
-----END PGP SIGNATURE-----

Reasonably Related Threads

Search for more apparently analagous threads

samba - Jun 2007 - FW: Followup Restricting to a subset of the domain controllers on a site

FW: [Samba] Followup Restricting to a subset of the domain controllers on a site

FW: [Samba] Followup Restricting to a subset of the domain controllers on a site

Reasonably Related Threads