I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join
to a Windows 2008 domain works perfectly, having pre-created the
servername in the appropriate OU.
In my winbind logs, I see the following (domain name obfuscated):
[2008/11/05 11:28:06, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(839)
got [EMAIL PROTECTED]
[2008/11/05 11:28:06, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(880)
cli_session_setup_spnego: got a bad server principal, trying to guess
...
[2008/11/05 11:28:06, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(908)
cli_session_setup_spnego: guessed server [EMAIL PROTECTED]
[2008/11/05 11:28:06, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(619)
Doing kerberos session setup
[2008/11/05 11:28:06, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot
resolve network address for KDC in requested realm)
[2008/11/05 11:28:06, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(626)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
The realm is guessed wrongly - only the short name of the domain, rather
than the fully qualified realm name, as specified in krb5.conf.
My AD full name is foo.bar.com, short name FOO. My question is - when
guessing the principal for the target DC, why does Samba guess 'FOO',
rather than 'FOO.BAR.COM'? I have a Linux machine joined to the same
domain running 3.0.28 which correctly guesses the realm.
[2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(828)
got [EMAIL PROTECTED]
[2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(880)
cli_session_setup_spnego: got a bad server principal, trying to guess
...
[2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(903)
cli_session_setup_spnego: guessed server
[EMAIL PROTECTED]
Relevant pieces from smb.conf:
realm = FOO.BAR.COM
workgroup = FOO
winbind separator = +
winbind use default domain = yes
idmap backend = ad
winbind nss info = rfc2307
use kerberos keytab = yes
client lanman auth = no
client ntlmv2 auth = yes
idmap uid = 10000-15000
idmap gid = 5000-6000
winbind refresh tickets = yes
As far as I can tell, name resolution etc. is correct on both machines.
Net ads status returns proper (fqdn) names, and klist -k shows fully
qualified principals populated into the keytab file by net ads join. I
should add that wbinfo -u returns the correct users, as does getent passwd
(with uids, gids, etc. as expected). My concern is that because Kerberos
negotiation is apprently failing, winbind is failing back to ntlm methods
of authentication, which I'd rather avoid. If the error message I'm seeing
is benign and I should ignore, let me know.
Cheers,
Paul
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
