Had a situation where users could not map drives from Windows XP to Solaris 9 system running Samba-3.0.10 for Active Directory. This system has been running for a couple of years without problems. Now recently, the site administrators have added some new servers to the domain which may have introduced a problem.
This krb5.conf file has been modified to hide the site in question. [libdefaults] default_realm = sanatized default_tgs-enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt-enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC [realms] sanatized = { kdc = DC1a.sanatized kdc = DC2a.sanatized kdc = DC3a.sanatized kdc = DC4a.sanatized admin_server = DC3a.sanatized } [domain_realm] .sanatized = sanatized sanatized = sanatized [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log admin_server = FILE:/var/log/kadmin.log kdc_rotate = { # How often to rotate kdc.log. Logs will get rotated no more # often than the period, and less often if the KDC is not used # frequently. period = 1d # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...) versions = 10 } [appdefaults] kinit = { renewable = true forwardable= true } gkadmin = { help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195 } So the system is expecting to see the following Domain Controllers: DC1a DC2a DC3a DC4a However, when users were experiencing problems, we saw the following when klist was run. Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 05/29/07 11:04:53 05/29/07 21:04:53 krbtgt/[EMAIL PROTECTED] renew until 05/30/07 11:04:53 05/29/07 11:05:09 05/29/07 21:04:53 [EMAIL PROTECTED] renew until 05/30/07 11:04:53 05/29/07 11:05:09 05/29/07 11:07:09 kadmin/[EMAIL PROTECTED] renew until 05/29/07 11:07:09 Kerberos 4 ticket cache: /tmp/tkt0 The line that concerns me is: 05/29/07 11:05:09 05/29/07 21:04:53 [EMAIL PROTECTED] renew until 05/30/07 11:04:53 Anytime a DC other than DC1a DC2a DC3a DC4a gets used, users have problems mapping drives. We had no record of a domain controller named exchgc01a in the environment. The admins have recently added a number of servers which they are saying they are catalog servers as part of their exchange setup and should not be used for authentication at all. The domain controllers they have added are: EXCHGC01A EXCHGC02A EXCHGC03A EXCHGC04A DC1SE DC2SE They are telling us that we must restrict to only authenticating to the domain controllers: DC1a DC2a DC3a DC4a Is there a way to do this? Is their request unreasonable? There is a password server setting, but is that good enough and can you give it more than a single machine? What if the machine is down for an unscheduled problem? Personally, I don't think the new servers should be issuing tickets if they are not used for authentication. They just called be and will checking to see if that is the case... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba