Le 13/04/2011 14:05, John Hodrien a écrit :
On Wed, 13 Apr 2011, Alain Péan wrote:
I'll try know, with the change in /etc/krb5.conf (validate = false), if it works now.
It won't (or at least it shouldn't). Validate is essential as it confirms that the KDC providing the TGT to the user is the same KDC that you registered with when you joined the domain. If you don't have that check, I believe it's hideously insecure.
You are right. It fails...
But the samba join is affected by many things. /etc/hosts, /etc/krb5.conf, /etc/samba/smb.conf are all well worth double checking for correctness.
So you've still got problems that need sorting. If validate doesn't work, then there are keytab issues. The keytab only needs to contain a valid principal for the domain, it doesn't even need to be a credential for that machine. Normally it *would* be for that machine, since you'd generate it through a 'net ads join' with an appropriate smb.conf.
Here are the appropriate files, enough simple : # cat /etc/samba/smb.conf # Test domaine test-lpp
# Global Parameters [global] workgroup = TEST-LPP netbios name = centos-test server string = Samba Server %v security = ads realm = TEST-LPP.LOCAL #use kerberos keytab = true kerberos method = secrets and keytab passdb backend = tdbsam password server = * encrypt passwords = true client use spnego = no load printers = yes printing = cups printcap name = cups admin users = pean
# Partages [homes] comment = Home Directories read only = no browseable = no
(samba3x, 3.5.4). I added passdb backend = tdbsam following the original smb.conf file, but I don't know if this is necessary. It was not there previously.
# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 134.x1.y1.z1 centos-test.test-lpp.local centos-test
# Serveur de domaine test-lpp.local 134.x2.y2.z2 pc-2003-test.test-lpp.local pc-2003-test 134.x3.y3.z3 dc1-test.test-lpp.local dc1-test
# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5lib.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] ticket_lifetime = 24000 default_realm = TEST-LPP.LOCAL default_tk_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = true dns_lookup_kdc = true
[realms] TEST-LPP.LOCAL = { kdc = pc-2003-test.test-lpp.local:88 kdc = dc1-test.test-lpp.local:88 #admin_server = pc-2003-test.test-lpp.local:749 default_domain = TEST-LPP.LOCAL kpasswd_server = pc-2003-test.test-lpp.local kdc = * }
[domain_realm] .test-lpp.local = TEST-LPP.LOCAL test-lpp.local = TEST-LPP.LOCAL
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false validate = false }
If you see something wrong, let me know ! The resolv.conf file contains the name of the domain (search test-lpp.local), and the addresses of the AD servers of this domain, and only them... selinux and iptables are disabled....
Alain