Le 13/04/2011 12:03, John Hodrien a écrit : > On Wed, 13 Apr 2011, Alain Péan wrote: > >> Hi John, >> >> There are only two realms I mentionned, LAB-LPP.LOCAL, and >> TEST-LPP.LOCAL. I am currently doing test with the latter, and indeed, >> pc-2003-test is the AD DC, so the KDC for TEST-LPP.LOCAL. The fdqn is >> also pc-2003-test.test-lpp.local. >> >> 'kinit <username>' works, >> [root at centos-test etc]# kinit pean >> Password for pean at TEST-LPP.LOCAL: >> [root at centos-test etc]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: pean at TEST-LPP.LOCAL >> >> Valid starting Expires Service principal >> 04/13/11 11:41:09 04/13/11 18:21:09 >> krbtgt/TEST-LPP.LOCAL at TEST-LPP.LOCAL >> >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached >> >> But nevertheless, it is asking for password when I issue the 'net ads >> join -U pean' command... >> >> As you understood, my KDC server is a windows 2003 R2 Active directory >> server. I don't understand where it is looking for the credentials. I >> tried to create the krb5.keytab with ktpass on the windows server, and >> replace the one on the centos-test, but it does not work either. There >> is something, perhaps obvious, I miss. I also tried with 'validate = >> true' in /etc/krb5.conf, but with no success. > > Have you tried with validate = false? > > I'd expect that to work, but it's not what you want to be doing long > term. I just tried, before reading your answer, and indeed, it works ! I can now connect without ldap, only kerberos in system-auth-ac (/etc/pam.d). > >> I found also that there is a 'krb5.conf.TEST-LPP' file in >> /var/lib/samba/smb_krb5, and this one is certainly used by samba (I >> replaced old version with samba3x, 3.5.4, and put 'kerberos method = >> secrets and keytab', instead of 'use kerberos keytab = true' that I used >> previously. > > Does that config file conflict in any way with the system krb5.conf? No, it is the newer syntax of 3.5.4, it's all. > >> I don't know if you have, or anyone else, an idea ? > > Ah, I'm using samba-common-3.0.33 for the join not samba3x, so there's > possibly some subtle differences. No, it was the same with 3.0.33. I only tried with 3.5.4, when I saw that it failed with the previous version. > > The join is reliant on /etc/samba/smb.conf (and presumably that > krb5.conf.TEST-LPP) though, so you'd need to double check that's all > correct. I'll try know, with the change in /etc/krb5.conf (validate = false), if it works now. Thanks for your help ! Alain -- ========================================================== Alain Péan - LPP/CNRS Administrateur Système/Réseau Laboratoire de Physique des Plasmas - UMR 7648 Observatoire de Saint-Maur 4, av de Neptune, Bat. A 94100 Saint-Maur des Fossés Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33 ==========================================================