[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Wed Apr 13 09:35:43 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Tue, 12 Apr 2011, Alain Péan wrote:

> Le 12/04/2011 22:03, John Hodrien a écrit :
>> On Tue, 12 Apr 2011, Alain Péan wrote:
>>> Indeed, nothing fails now. I want my users to authenticate against
>>> Active directory, and it works, and I would like them to be able to use
>>> their kerberos credentials, if they need, to access domain ressources,
>>> as shares. But I have still to see a problem there..
>>> Thanks again for your help and your comments !
>> So is it all working after taking out the ldap auth?  With it in
>> you'll not be
>> generating kerberos tickets if there's anything wrong with your kerberos
>> setup.
>> jh
> No, you are right, things do not work as I expect. When I disable
> ldapauth, I cannot authenticate. So kerberos is not working.
> I have kerberos error messages with samba when I try to join AD domain
> with net ads join. But net rpc join succeeds.
> # net ads join -U pean -d3
> ....
> [2011/04/12 22:19:45.797972,  3] libads/sasl.c:790(ads_sasl_spnego_bind)
>   ads_sasl_spnego_bind: got server principal name =
> pc-2003-test$@TEST-LPP.LOCAL
> [2011/04/12 22:19:45.798331,  3] libsmb/clikrb5.c:698(ads_krb5_mk_req)
>   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found)
> [2011/04/12 22:19:45.811493,  1] libsmb/clikrb5.c:710(ads_krb5_mk_req)
>   ads_krb5_mk_req: smb_krb5_get_credentials failed for
> pc-2003-test$@TEST-LPP.LOCAL (Cannot find ticket for requested realm)
> ....
> Why 'no credential cache found' ?
> I would like to solve this annoying problem. Why it is no more working
> after upgrading to 5.6 ?

I'm afraid you've cooked my brain with all the realms you've mentioned, so I'm
not entirely clear what's going on.

It's complaining about your kdc.

Is pc-2003-test the KDC for the TEST-LPP.LOCAL realm, or is it KDC for the
LAB-LPP.LOCAL realm?  Is its FQDN pc-2003-test.test-lpp.local?

Without worrying about the join, does 'kinit <username>' work?