On Mon, Jul 30, 2018 at 09:24:46AM +1200, Andrew Bartlett
wrote:> On Sun, 2018-07-29 at 22:14 +0100, Phillip Potter wrote:
> > On Sat, Jul 28, 2018 at 11:40:26AM +1200, Andrew Bartlett wrote:
> > > On Sat, 2018-07-28 at 00:10 +0100, Phillip Potter via samba
wrote:
> > > > Dear All,
> > > >
> > > > I have recently setup a completely new AD domain on my Linux
server, running Samba 4.8.3. From the server, I can authenticate via kerberos
and get users and groups through winbind etc. When I try to join a freshly
installed Mac running macOS 10.13.6, I receive the error:
> > > > "Unable to add server. Authentication server failed to
completed the requested operation. (5103)"
> > > >
> > > > The Mac has a local IP address of 192.168.0.107, and its
hostname is set to potterbook.
> > > >
> > > > On the Mac, no log entries at all occur to indicate what
this might be.
> > > >
> > > > On the Linux machine, the only logs that seem to get written
are in /var/log/samba/mit_kdc.log:
> > >
> > > Did you build Samba with MIT Kerberos support or use package so
built?
> > > If not, then perhaps you have the wrong KDC started, just start
Samba
> > > and it will handle the rest.
> > >
> > > If that isn't it, try re-building the AD DC without MIT
Kerberos, we
> > > have some reports of issues in this area, and it would provide a
point
> > > of comparison we can investigate.
> > >
> > > Thanks,
> > >
> > > Andrew Bartlett
> > > --
> > > Andrew Bartlett http://samba.org/~abartlet/
> > > Authentication Developer, Samba Team http://samba.org
> > > Samba Developer, Catalyst IT
http://catalyst.net.nz/services/samba
> > >
> >
> > Dear Andrew,
> >
> > I built Samba 4.8.3 from scratch on a fresh Fedora 28 VM, without MIT
kerberos but keeping all other dependencies at the same version as with the
packaged version, and I can confirm the Mac joins to a newly provisioned AD on
it with no issues. Would you like me to provide logs for future reference?
>
> Thanks. Please file a bug and attach any logs you can.
>
> I've also CC'ed Andreas, who is a leading developer on the MIT KDC
> effort.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
Sorry to be a pain, but I'm unable to report the bug as I've yet to
receive a reply from the bugzilla-maintenance at samba.org address containing
account details to allow me to file it. I e-mailed using the address I am using
now, which I currently host with gmail, but I figured the warning about
disposable mail providers would not apply as I am using my own domain? Anyhow,
still happy to report this if someone can act on this. Many thanks.
Regards,
Phil Potter