I've been trying to get Kerberos to work for the last couple of days so that we can use SSO. I can't seem to get past a roadblock and Google doesn't seem to provide any answers. I've got Samba connected to the AD and running. I can wbinfo everything and can login to the machine using PAM with the pam_winbind modules just fine. I can get user tickets just fine. When I try to get ssh between two AD joined machines to use Kerberos, I get a Server not found in Kerberos database error. I've noticed that /var/log/samba/log.winbinds shows:
2009/05/06 09:22:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686) ads_krb5_mk_req: krb5_get_credentials failed for ca...@byu (Cannot resolve network address for KDC in requested realm) [2009/05/06 09:22:31, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(624) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm I can't run `kinit host/vi4deba...@byu.local` <mailto:host/vi4deba...@byu.local%60> or anything like it, all I get is "kinit(v5): Client not found in Kerberos database while getting initial credentials", I've tried all sorts of conbinations of the kinit command, I've tried to create a winbind keytab file, but from what I've read that is only used if using LDAP and not winbind. I've tweaked the /etc/krb.conf file. I can't get rid of the error in log.winbindd to see if that fixes the problem. Summary: /etc/resolve.conf: Specified AD domain and DCs as DNS servers /etc/hosts: Specified the FQDN of the machine with the AD DNS name /etc/krb5.conf: Added AD realm info /etc/samba/smb.conf: All AD info entered correctly Net ads join: OK Wbinfo -u/g: Shows all users and groups in the domain Pam_winbind: Allows users to login to the console or through SSH (password) /etc/ssh/sshd_conf: GSSAPIAuthentication yes /etc/ssh/ssh_conf (on remote machine configured exactly the same): GSSAPIAuthentication yes and GSSAPIDelegateCredentials no Same error on Debain Lenny using Samba 3.2.5 and Debain Squeeze using Samba 3.3.3 /etc/samba/smb.conf: [global] workgroup = BYU realm = BYU.LOCAL preferred master = no server string = %h server dns proxy = no debug level = 10 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = ADS encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes invalid users = root unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 allow trusted domains = No idmap backend = idmap_rid:BYU=10000-100000000 idmap uid = 10000-100000000 idmap gid = 10000-100000000 winbind use default domain = yes winbind separator = + winbind enum groups = no winbind enum users = no winbind nested groups = yes template homedir = /home/%U template shell = /bin/bash winbind refresh tickets = yes get quota command = /root/sambaquota.sh [users] comment = Life Sciences user share browseable = yes path = /ls/users guest ok = no read only = no admin users = @lfsci-csr create mask = 0770 directory mask = 0770 force user = %S veto files = /.htaccess/ /.DAV/ [groups] comment = Life Sciences groups share browseable = yes path = /ls/groups guest ok = no read only = no admin users = lfsci-csr create mask = 0770 directory mask = 0770 veto files = /.htaccess/ /.DAV/ dos filemode = yes posix locking = no relevant part of /var/log/samba/log.winbindd: [2009/05/06 09:22:31, 5] winbindd/winbindd_cm.c:cm_prepare_connection(852) connecting to CAD1.byu.local from VI4DEBIAN with kerberos principal [vi4debi...@byu.local] and realm [BYU.LOCAL] [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(823) Doing spnego session setup (blob length=124) [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850) got OID=1 2 840 48018 1 2 2 [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850) got OID=1 2 840 113554 1 2 2 [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850) got OID=1 2 840 113554 1 2 2 3 [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850) got OID=1 3 6 1 4 1 311 2 2 10 [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(858) got principal=not_defined_in_rfc4...@please_ignore [2009/05/06 09:22:31, 10] libads/kerberos.c:kerberos_kinit_password_ext(217) kerberos_kinit_password: as vi4debi...@byu.local using [MEMORY:cliconnect] as ccache and config [(null)] [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(899) cli_session_setup_spnego: got a bad server principal, trying to guess ... [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(927) cli_session_setup_spnego: guessed server principal=ca...@byu [2009/05/06 09:22:31, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(617) Doing kerberos session setup [2009/05/06 09:22:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686) ads_krb5_mk_req: krb5_get_credentials failed for ca...@byu (Cannot resolve network address for KDC in requested realm) [2009/05/06 09:22:31, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(624) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm [2009/05/06 09:22:31, 4] winbindd/winbindd_cm.c:cm_prepare_connection(864) failed kerberos session setup with Cannot resolve network address for KDC in requested realm [2009/05/06 09:22:31, 5] winbindd/winbindd_cm.c:cm_prepare_connection(880) connecting to CAD1.byu.local from VI4DEBIAN with username [BYU]\[VI4DEBIAN$] [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(823) Doing spnego session setup (blob length=124) [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850) got OID=1 2 840 48018 1 2 2 [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850) got OID=1 2 840 113554 1 2 2 [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850) got OID=1 2 840 113554 1 2 2 3 [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850) got OID=1 3 6 1 4 1 311 2 2 10 [2009/05/06 09:22:31, 3] libsmb/cliconnect.c:cli_session_setup_spnego(858) got principal=not_defined_in_rfc4...@please_ignore If you need more info, please let me know. Thanks, Robert LeBlanc Life Sciences Computer Support Brigham Young University lebl...@byu.edu (801)422-1882 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba