thr3ads.net - samba - [Samba] domain join & kinit woes [Jan 2010]

If this information is useful, please help other people find it:
Share via:

Timo Aaltonen

2010-Jan-21 09:59 UTC

[Samba] domain join & kinit woes

Hi

   I've got problems getting things to work here.. The setup:

AD: W2008R1
client: Ubuntu 10.04 (lucid alpha2), with samba 3.4.3, MIT 1.7

I get an error when joining the domain, and when trying to kinit using the 
machine principal with any other name than HOST$ (and that worked only 
after forcing the crypto to des-cbc-crc):

nexus6 etc # net ads join -W ORG.AALTO.FI -U wa.aaltonen
Enter wa.aaltonen's password:
Using short domain name -- AALTO
Joined 'NEXUS6' to realm 'org.aalto.fi'
[2010/01/21 10:49:35,  0] libads/kerberos.c:332(ads_kinit_password)
   kerberos_kinit_password NEXUS6$@ORG.AALTO.FI failed: Client not found in
Kerberos database
nexus6 etc # klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
    2 host/nexus6.org.aalto.fi at ORG.AALTO.FI
    2 host/nexus6.org.aalto.fi at ORG.AALTO.FI
    2 host/nexus6.org.aalto.fi at ORG.AALTO.FI
    2 host/nexus6 at ORG.AALTO.FI
    2 host/nexus6 at ORG.AALTO.FI
    2 host/nexus6 at ORG.AALTO.FI
    2 NEXUS6$@ORG.AALTO.FI
    2 NEXUS6$@ORG.AALTO.FI
    2 NEXUS6$@ORG.AALTO.FI

nexus6 etc # kinit -k NEXUS6$@ORG.AALTO.FI
kinit: Client not found in Kerberos database while getting initial credentials
nexus6 etc # kinit -k NEXUS6$
nexus6 etc # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: NEXUS6$@ORG.AALTO.FI

Valid starting     Expires            Service principal
01/21/10 11:00:13  01/21/10 21:00:13  krbtgt/ORG.AALTO.FI at ORG.AALTO.FI
 	renew until 01/22/10 11:00:13


I've been pulling my hair because of this... Would W2008 R2 help? We
can't
upgrade yet though, since the backup software doesn't support it atm.

Here's the smb.conf and krb5.conf. Note that I'm trying to use sssd 
instead of winbind, but it fails to do a sasl bind because of invalid 
creds, so there has to be something wrong in the kerberos setup. Funny 
that the same-ish krb5.conf works just fine on Solaris.

#### krb5.conf
[libdefaults]
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
default_realm = ORG.AALTO.FI
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true

[realms]
ORG.AALTO.FI = {
   kdc = dc01.org.aalto.fi
   kdc = dc02.org.aalto.fi
   kdc = dc03.org.aalto.fi
   kdc = dc04.org.aalto.fi
   kdc = dca01.org.aalto.fi
   kdc = dca02.org.aalto.fi
   kdc = dct01.org.aalto.fi
   kdc = dct02.org.aalto.fi
   kpasswd_server = dc01.org.aalto.fi
   kpasswd_protocol = SET_CHANGE
   admin_server = dc01.org.aalto.fi
}

[domain_realm]
.org.aalto.fi = ORG.AALTO.FI

[appdefaults]
kinit = {
   renewable = true
   forwardable = true
}

##### smb.conf
[global]
   workgroup = AALTO
   realm = ORG.AALTO.FI
   security = ads
   kerberos method = system keytab
   winbind use default domain = yes

Possibly Parallel Threads

Search for more maybe matching threads

samba - Jan 2010 - domain join & kinit woes

[Samba] domain join & kinit woes

Possibly Parallel Threads

Wisdom of the Ancients