Le 13/04/2011 11:35, John Hodrien a écrit : > On Tue, 12 Apr 2011, Alain Péan wrote: > >> Le 12/04/2011 22:03, John Hodrien a écrit : >>> On Tue, 12 Apr 2011, Alain Péan wrote: >>> >>>> Indeed, nothing fails now. I want my users to authenticate against >>>> Active directory, and it works, and I would like them to be able to >>>> use >>>> their kerberos credentials, if they need, to access domain ressources, >>>> as shares. But I have still to see a problem there.. >>>> >>>> Thanks again for your help and your comments ! >>> >>> So is it all working after taking out the ldap auth? With it in >>> you'll not be >>> generating kerberos tickets if there's anything wrong with your >>> kerberos >>> setup. >>> >>> jh >> >> No, you are right, things do not work as I expect. When I disable >> ldapauth, I cannot authenticate. So kerberos is not working. >> I have kerberos error messages with samba when I try to join AD domain >> with net ads join. But net rpc join succeeds. >> # net ads join -U pean -d3 >> .... >> [2011/04/12 22:19:45.797972, 3] libads/sasl.c:790(ads_sasl_spnego_bind) >> ads_sasl_spnego_bind: got server principal name = >> pc-2003-test$@TEST-LPP.LOCAL >> [2011/04/12 22:19:45.798331, 3] libsmb/clikrb5.c:698(ads_krb5_mk_req) >> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache >> found) >> [2011/04/12 22:19:45.811493, 1] libsmb/clikrb5.c:710(ads_krb5_mk_req) >> ads_krb5_mk_req: smb_krb5_get_credentials failed for >> pc-2003-test$@TEST-LPP.LOCAL (Cannot find ticket for requested realm) >> .... >> >> Why 'no credential cache found' ? >> I would like to solve this annoying problem. Why it is no more working >> after upgrading to 5.6 ? > > I'm afraid you've cooked my brain with all the realms you've > mentioned, so I'm > not entirely clear what's going on. > > It's complaining about your kdc. > > Is pc-2003-test the KDC for the TEST-LPP.LOCAL realm, or is it KDC for > the > LAB-LPP.LOCAL realm? Is its FQDN pc-2003-test.test-lpp.local? > > Without worrying about the join, does 'kinit <username>' work? > > jh Hi John, There are only two realms I mentionned, LAB-LPP.LOCAL, and TEST-LPP.LOCAL. I am currently doing test with the latter, and indeed, pc-2003-test is the AD DC, so the KDC for TEST-LPP.LOCAL. The fdqn is also pc-2003-test.test-lpp.local. 'kinit <username>' works, [root at centos-test etc]# kinit pean Password for pean at TEST-LPP.LOCAL: [root at centos-test etc]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: pean at TEST-LPP.LOCAL Valid starting Expires Service principal 04/13/11 11:41:09 04/13/11 18:21:09 krbtgt/TEST-LPP.LOCAL at TEST-LPP.LOCAL Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached But nevertheless, it is asking for password when I issue the 'net ads join -U pean' command... As you understood, my KDC server is a windows 2003 R2 Active directory server. I don't understand where it is looking for the credentials. I tried to create the krb5.keytab with ktpass on the windows server, and replace the one on the centos-test, but it does not work either. There is something, perhaps obvious, I miss. I also tried with 'validate = true' in /etc/krb5.conf, but with no success. I found also that there is a 'krb5.conf.TEST-LPP' file in /var/lib/samba/smb_krb5, and this one is certainly used by samba (I replaced old version with samba3x, 3.5.4, and put 'kerberos method = secrets and keytab', instead of 'use kerberos keytab = true' that I used previously. I don't know if you have, or anyone else, an idea ? Alain -- ========================================================== Alain Péan - LPP/CNRS Administrateur Système/Réseau Laboratoire de Physique des Plasmas - UMR 7648 Observatoire de Saint-Maur 4, av de Neptune, Bat. A 94100 Saint-Maur des Fossés Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33 ==========================================================