On Tue, 12 Apr 2011, Alain Péan wrote:
Le 12/04/2011 22:03, John Hodrien a écrit :
On Tue, 12 Apr 2011, Alain Péan wrote:
Indeed, nothing fails now. I want my users to authenticate against Active directory, and it works, and I would like them to be able to use their kerberos credentials, if they need, to access domain ressources, as shares. But I have still to see a problem there..
Thanks again for your help and your comments !
So is it all working after taking out the ldap auth? With it in you'll not be generating kerberos tickets if there's anything wrong with your kerberos setup.
jh
No, you are right, things do not work as I expect. When I disable ldapauth, I cannot authenticate. So kerberos is not working. I have kerberos error messages with samba when I try to join AD domain with net ads join. But net rpc join succeeds. # net ads join -U pean -d3 .... [2011/04/12 22:19:45.797972, 3] libads/sasl.c:790(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got server principal name = pc-2003-test$@TEST-LPP.LOCAL [2011/04/12 22:19:45.798331, 3] libsmb/clikrb5.c:698(ads_krb5_mk_req) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2011/04/12 22:19:45.811493, 1] libsmb/clikrb5.c:710(ads_krb5_mk_req) ads_krb5_mk_req: smb_krb5_get_credentials failed for pc-2003-test$@TEST-LPP.LOCAL (Cannot find ticket for requested realm) ....
Why 'no credential cache found' ? I would like to solve this annoying problem. Why it is no more working after upgrading to 5.6 ?
I'm afraid you've cooked my brain with all the realms you've mentioned, so I'm not entirely clear what's going on.
It's complaining about your kdc.
Is pc-2003-test the KDC for the TEST-LPP.LOCAL realm, or is it KDC for the LAB-LPP.LOCAL realm? Is its FQDN pc-2003-test.test-lpp.local?
Without worrying about the join, does 'kinit <username>' work?
jh