D G Teed wrote:
> Thanks very much, Douglas.  That did the trick.
> I had not understood what realm represented in a dns
> style domain.
> 
> It is also confusing that one lists a realm section,
> defining it...
> 
> BEER = {
>    kdc = ADC1.AD.BEERU.CA
> }

Sorry, missed that one too.  Should be
AD.BEERU.CA = {
        kdc = ADC1.AD.BEERU.CA
}

It's just that Kerberos doesn't know anything about workgroups in
windows and so there shouldn't be any workgroup names in krb5.conf,
only DNS names and REALM names.  It worked because samba picked up the
Kerberos kdc from SRV records in DNS.  BEER defines the .BEER realm
which doesn't exist.


> 
> But then when providing the realm name in smb.conf, the
> handle isn't BEER, but rather the subdomain in
> which the AD controller lives.
> 
> Regards,
> 
> --Donald
> 
> On Jan 30, 2008 3:37 PM, Douglas VanLeuven <[EMAIL PROTECTED]> wrote:
>> Douglas VanLeuven wrote:
>>> D G Teed wrote:
>>>> I've been able to use security = ads in smb.conf, and connect OK,
>>>> but it must be falling back to domain.  When I run net ads join
>>>> I get the error (debug trace below):
>>>>
>>>> ads_connect: No logon servers
>>>>
>>>> Here is my krb5.conf:
>>>>
>>>> [logging]
>>>>  default = FILE:/var/log/krb5libs.log
>>>>  kdc = FILE:/var/log/krb5kdc.log
>>>>  admin_server = FILE:/var/log/kadmind.log
>>>> [libdefaults]
>>>>  default_realm = BEER
>>>> [realms]
>>>>  BEER = {
>>>>   kdc = ADC1.AD.BEERU.CA
>>>>  }
>> Missed this on the last post.
>>   default realm = AD.BEERU.CA
>>
>> Doug
>>

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to