Le 13/04/2011 11:35, John Hodrien a écrit :
On Tue, 12 Apr 2011, Alain Péan wrote:
Le 12/04/2011 22:03, John Hodrien a écrit :
On Tue, 12 Apr 2011, Alain Péan wrote:
Indeed, nothing fails now. I want my users to authenticate against Active directory, and it works, and I would like them to be able to use their kerberos credentials, if they need, to access domain ressources, as shares. But I have still to see a problem there..
Thanks again for your help and your comments !
So is it all working after taking out the ldap auth? With it in you'll not be generating kerberos tickets if there's anything wrong with your kerberos setup.
jh
No, you are right, things do not work as I expect. When I disable ldapauth, I cannot authenticate. So kerberos is not working. I have kerberos error messages with samba when I try to join AD domain with net ads join. But net rpc join succeeds. # net ads join -U pean -d3 .... [2011/04/12 22:19:45.797972, 3] libads/sasl.c:790(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got server principal name = pc-2003-test$@TEST-LPP.LOCAL [2011/04/12 22:19:45.798331, 3] libsmb/clikrb5.c:698(ads_krb5_mk_req) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2011/04/12 22:19:45.811493, 1] libsmb/clikrb5.c:710(ads_krb5_mk_req) ads_krb5_mk_req: smb_krb5_get_credentials failed for pc-2003-test$@TEST-LPP.LOCAL (Cannot find ticket for requested realm) ....
Why 'no credential cache found' ? I would like to solve this annoying problem. Why it is no more working after upgrading to 5.6 ?
I'm afraid you've cooked my brain with all the realms you've mentioned, so I'm not entirely clear what's going on.
It's complaining about your kdc.
Is pc-2003-test the KDC for the TEST-LPP.LOCAL realm, or is it KDC for the LAB-LPP.LOCAL realm? Is its FQDN pc-2003-test.test-lpp.local?
Without worrying about the join, does 'kinit <username>' work?
jh
Hi John,
There are only two realms I mentionned, LAB-LPP.LOCAL, and TEST-LPP.LOCAL. I am currently doing test with the latter, and indeed, pc-2003-test is the AD DC, so the KDC for TEST-LPP.LOCAL. The fdqn is also pc-2003-test.test-lpp.local.
'kinit <username>' works, [root@centos-test etc]# kinit pean Password for pean@TEST-LPP.LOCAL: [root@centos-test etc]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: pean@TEST-LPP.LOCAL
Valid starting Expires Service principal 04/13/11 11:41:09 04/13/11 18:21:09 krbtgt/TEST-LPP.LOCAL@TEST-LPP.LOCAL
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
But nevertheless, it is asking for password when I issue the 'net ads join -U pean' command...
As you understood, my KDC server is a windows 2003 R2 Active directory server. I don't understand where it is looking for the credentials. I tried to create the krb5.keytab with ktpass on the windows server, and replace the one on the centos-test, but it does not work either. There is something, perhaps obvious, I miss. I also tried with 'validate = true' in /etc/krb5.conf, but with no success.
I found also that there is a 'krb5.conf.TEST-LPP' file in /var/lib/samba/smb_krb5, and this one is certainly used by samba (I replaced old version with samba3x, 3.5.4, and put 'kerberos method = secrets and keytab', instead of 'use kerberos keytab = true' that I used previously.
I don't know if you have, or anyone else, an idea ?
Alain