On Wed, 13 Apr 2011, Alain Péan wrote:
Hi John,
There are only two realms I mentionned, LAB-LPP.LOCAL, and
TEST-LPP.LOCAL. I am currently doing test with the latter, and indeed,
pc-2003-test is the AD DC, so the KDC for TEST-LPP.LOCAL. The fdqn is
also pc-2003-test.test-lpp.local.
'kinit <username>' works,
[root@centos-test etc]# kinit pean
Password for pean@xxxxxxxxxxxxxx:
[root@centos-test etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: pean@xxxxxxxxxxxxxx
Valid starting Expires Service principal
04/13/11 11:41:09 04/13/11 18:21:09 krbtgt/TEST-LPP.LOCAL@xxxxxxxxxxxxxx
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
But nevertheless, it is asking for password when I issue the 'net ads
join -U pean' command...
As you understood, my KDC server is a windows 2003 R2 Active directory
server. I don't understand where it is looking for the credentials. I
tried to create the krb5.keytab with ktpass on the windows server, and
replace the one on the centos-test, but it does not work either. There
is something, perhaps obvious, I miss. I also tried with 'validate =
true' in /etc/krb5.conf, but with no success.
Have you tried with validate = false?
I'd expect that to work, but it's not what you want to be doing long term.
I found also that there is a 'krb5.conf.TEST-LPP' file in
/var/lib/samba/smb_krb5, and this one is certainly used by samba (I
replaced old version with samba3x, 3.5.4, and put 'kerberos method =
secrets and keytab', instead of 'use kerberos keytab = true' that I used
previously.
Does that config file conflict in any way with the system krb5.conf?
I don't know if you have, or anyone else, an idea ?
Ah, I'm using samba-common-3.0.33 for the join not samba3x, so there's
possibly some subtle differences.
The join is reliant on /etc/samba/smb.conf (and presumably that
krb5.conf.TEST-LPP) though, so you'd need to double check that's all correct.
jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
