On Wed, 13 Apr 2011, Alain Péan wrote: > Hi John, > > There are only two realms I mentionned, LAB-LPP.LOCAL, and > TEST-LPP.LOCAL. I am currently doing test with the latter, and indeed, > pc-2003-test is the AD DC, so the KDC for TEST-LPP.LOCAL. The fdqn is > also pc-2003-test.test-lpp.local. > > 'kinit <username>' works, > [root at centos-test etc]# kinit pean > Password for pean at TEST-LPP.LOCAL: > [root at centos-test etc]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: pean at TEST-LPP.LOCAL > > Valid starting Expires Service principal > 04/13/11 11:41:09 04/13/11 18:21:09 krbtgt/TEST-LPP.LOCAL at TEST-LPP.LOCAL > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > But nevertheless, it is asking for password when I issue the 'net ads > join -U pean' command... > > As you understood, my KDC server is a windows 2003 R2 Active directory > server. I don't understand where it is looking for the credentials. I > tried to create the krb5.keytab with ktpass on the windows server, and > replace the one on the centos-test, but it does not work either. There > is something, perhaps obvious, I miss. I also tried with 'validate = > true' in /etc/krb5.conf, but with no success. Have you tried with validate = false? I'd expect that to work, but it's not what you want to be doing long term. > I found also that there is a 'krb5.conf.TEST-LPP' file in > /var/lib/samba/smb_krb5, and this one is certainly used by samba (I > replaced old version with samba3x, 3.5.4, and put 'kerberos method = > secrets and keytab', instead of 'use kerberos keytab = true' that I used > previously. Does that config file conflict in any way with the system krb5.conf? > I don't know if you have, or anyone else, an idea ? Ah, I'm using samba-common-3.0.33 for the join not samba3x, so there's possibly some subtle differences. The join is reliant on /etc/samba/smb.conf (and presumably that krb5.conf.TEST-LPP) though, so you'd need to double check that's all correct. jh