On Mon, 2013-02-18 at 16:52 -0300, Friedrich Locke
wrote:> Dear list members,
>
> i am trying to get ldap + samba + kerberos working and have tried to
> make the proper configuration.
> Integrating samba + ldap was pretty easy, but getting kerberos to work
> seems a nightmare.
>
> Here it is what i tried (copy and pasted from my link client):
>
> harley at 802-1x:/etc/samba$ kdestroy
> harley at 802-1x:/etc/samba$ kinit
> harley at UFV.BR's Password:
> harley at 802-1x:/etc/samba$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
> Principal: harley at UFV.BR
>
> Issued Expires Principal
> Feb 18 15:53:33 2013 Feb 18 19:53:33 2013 krbtgt/UFV.BR at UFV.BR
> harley at 802-1x:/etc/samba$ smbclient //802-1x.cpd.ufv.br/printers -k
> session setup failed: NT_STATUS_LOGON_FAILURE
> harley at 802-1x:/etc/samba$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
> Principal: harley at UFV.BR
>
> Issued Expires Principal
> Feb 18 15:53:33 2013 Feb 18 19:53:33 2013 krbtgt/UFV.BR at UFV.BR
> Feb 18 15:53:44 2013 Feb 18 19:53:33 2013 cifs/802-1x.cpd.ufv.br at
UFV.BR
> harley at 802-1x:/etc/samba$
>
>
>
> We can realize that smbclient is fetching the ticket to cifs service.
> But why NT_STATUS_LOGON_FAILURE ?
> Nothing appears on smbd logs.
How is samba connected to the krb5 realm? What configuration options
have you set to make it use a keytab?
That all said, this kind of frustration is why I worked so hard on Samba
4.0 as an AD DC, because it provides the server-side integration of
LDAP, Kerberos and the Domain protocols that allow Samba and windows
member servers to join it, and for it to 'just work'.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org