On Sun, 2012-01-22 at 15:32 +0100, steve wrote: > even though I've made a ldap/hh3.site principal: > hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator > hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab > --principal=ldap/hh3.site > > Why do I get the > Decrypt integrity check failed > error?
Why do you keep doing this? What makes you think this is the right thing to do (so I can correct whatever gave you this misconception). Samba will not read /etc/ldap.keytab. Samba uses the private keytab containing it's own machine account only. Samba should not be contacted via the dns domain name, it should be contacted by the fully qualified domain name. The fact the dns domain name (hh3.site) resolves is an artefact of the default AD DNS zone, but should not be used. If your client uses the fully qualified name (dc.hh3.site), it will collect the correct ticket, and Samba will decrypt it. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba