On Tue, 12 Apr 2011, Alain Péan wrote: > Le 12/04/2011 22:03, John Hodrien a écrit : >> On Tue, 12 Apr 2011, Alain Péan wrote: >> >>> Indeed, nothing fails now. I want my users to authenticate against >>> Active directory, and it works, and I would like them to be able to use >>> their kerberos credentials, if they need, to access domain ressources, >>> as shares. But I have still to see a problem there.. >>> >>> Thanks again for your help and your comments ! >> >> So is it all working after taking out the ldap auth? With it in >> you'll not be >> generating kerberos tickets if there's anything wrong with your kerberos >> setup. >> >> jh > > No, you are right, things do not work as I expect. When I disable > ldapauth, I cannot authenticate. So kerberos is not working. > I have kerberos error messages with samba when I try to join AD domain > with net ads join. But net rpc join succeeds. > # net ads join -U pean -d3 > .... > [2011/04/12 22:19:45.797972, 3] libads/sasl.c:790(ads_sasl_spnego_bind) > ads_sasl_spnego_bind: got server principal name = > pc-2003-test$@TEST-LPP.LOCAL > [2011/04/12 22:19:45.798331, 3] libsmb/clikrb5.c:698(ads_krb5_mk_req) > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache > found) > [2011/04/12 22:19:45.811493, 1] libsmb/clikrb5.c:710(ads_krb5_mk_req) > ads_krb5_mk_req: smb_krb5_get_credentials failed for > pc-2003-test$@TEST-LPP.LOCAL (Cannot find ticket for requested realm) > .... > > Why 'no credential cache found' ? > I would like to solve this annoying problem. Why it is no more working > after upgrading to 5.6 ? I'm afraid you've cooked my brain with all the realms you've mentioned, so I'm not entirely clear what's going on. It's complaining about your kdc. Is pc-2003-test the KDC for the TEST-LPP.LOCAL realm, or is it KDC for the LAB-LPP.LOCAL realm? Is its FQDN pc-2003-test.test-lpp.local? Without worrying about the join, does 'kinit <username>' work? jh