On Wed, 13 Apr 2011, Alain Péan wrote:
I'll try know, with the change in /etc/krb5.conf (validate = false), if it works now.
It won't (or at least it shouldn't). Validate is essential as it confirms that the KDC providing the TGT to the user is the same KDC that you registered with when you joined the domain. If you don't have that check, I believe it's hideously insecure.
But the samba join is affected by many things. /etc/hosts, /etc/krb5.conf, /etc/samba/smb.conf are all well worth double checking for correctness.
So you've still got problems that need sorting. If validate doesn't work, then there are keytab issues. The keytab only needs to contain a valid principal for the domain, it doesn't even need to be a credential for that machine. Normally it *would* be for that machine, since you'd generate it through a 'net ads join' with an appropriate smb.conf.
Thanks for your help !
No problem.
jh