Steve Langasek escreveu: > Your original bug report doesn't mention problems when joining a member > server to the domain with 'net join', it talks about problems when joining > the PDC to the domain with 'net join'. In fact, you said that your member > servers that were joined did not have problems. Can you explain again what > problem you're having with the member servers? >
Of course! The problem is a little confusing, so perhaps I wrong in some aspects. I have machine M1 hosting Samba PDC and Heimdal Kerberos with backend OpenLDAP for Heimdal and Samba. I have machine M2 hosting CIFS shares (Samba Member) and it joins into the domain hosted by SAMBA PDC M1. I have machine M3 used as CIFS client. On M1, I have added users and cifs/host service principals for M2. Also added service principal in keytab file on M2 of M2. When I create cifs/host service principals on M1 for M2, and create keytab file on M2 of M2, the M3 access M2 through the Kerberos authentication, no have problems. The problem begins when M2 join in domain Samba PDC M1, with the command 'net join'. Is that clear to you now? Here are the relevant logs for a succesful authentication kerberos (i.e., without joining the domain), M3 accessing M2 through the Kerberos authentication: [2009/03/14 00:40:53, 1] libads/kerberos_verify.c:ads_secrets_verify_ticket(240) ads_secrets_verify_ticket: failed to fetch machine password [2009/03/14 00:40:53, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(143) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab succeeded for principal cifs/[email protected] [2009/03/14 00:40:53, 3] libads/kerberos_verify.c:ads_verify_ticket(500) ads_verify_ticket: did not retrieve auth data. continuing without PAC [2009/03/14 00:40:53, 3] smbd/sesssetup.c:reply_spnego_kerberos(356) Ticket name is [[email protected]] [2009/03/14 00:40:53, 3] smbd/sesssetup.c:reply_spnego_kerberos(430) Could not find short name: WBC_ERR_WINBIND_NOT_AVAILABLE [2009/03/14 00:40:53, 5] lib/username.c:Get_Pwnam_alloc(133) Finding user CFS.ISST+sachs And, for last, here is the log of a failed of authentication Kerberos (i.e., once the M2 has joined the domain Samba PDC M1), M3 accessing M2 through the Kerberos authentication: [2009/03/14 00:49:21, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(282) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2009/03/14 00:49:21, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(171) ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals [2009/03/14 00:49:21, 3] libads/kerberos_verify.c:ads_verify_ticket(458) ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) [2009/03/14 00:49:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2009/03/14 00:49:21, 3] smbd/error.c:error_packet_set(61) error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE > >> In the page have setup of Samba PDC with authentication Kerberos, >> for Debian Etch, stable setup: http://eduardosachs.org/mediawiki/ >> > > Ok - I guess the description of the problem is here: > > http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Lenny_(em_construção_-_NÃO_USAR_-_COM_BUG)#.2A.2A.2A_ATEN.C3.87.C3.83O.21.21.21_AVISO_IMPORTANTE.21.21.21_.2A.2A.2A > > I'll try to reproduce the bug based on this description. > OK! I have automatic script instalation of Samba PDC with Heimdal Kerberos for Debian Lenny, and script for configuration of Samba Member, do you want this scripts? > Thanks, > Thank you very much!! -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
