Re: [Samba] Questions regarding ADS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | I 've spent the last week troubleshooting a configuration issue regarding | samba not being able to connect to other domains beside the domain of which | it 's a member server (samba 3.0.14a, krb 1.3.6, w2k). | | I have some doubts perhaps someone can answer... | | Suppose this scenario: | | Samba name : SAMBA | Main domain: DOMAINA (domain controller = DCA) | Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC) | | | 1) When samba tries to connect via kerberos to others | domains, which principal is supposed to use? I 'd think | it is [EMAIL PROTECTED] What I see is that it first connects | via LDAP using this machine account but then tries to connect | via kerberos with [EMAIL PROTECTED] or [EMAIL PROTECTED] Is this | correct or I am not understanding the logfiles correctly? It should be obtaining a service for [EMAIL PROTECTED] That's probably what you are seeing. | 2) Is wbinfo --set-auth-user still needed? I 'm not using | it because I read somewhere that with 3.0+ is not needed | anymore. Generally it is not needed. Certainly not when all the domains are AD and the Samba host is configured with 'security = ads'. | 3) My krb5.conf doesn 't contain any references to | servers. All it contains is dns_lookup_realm=true, | dns_lookup_kdc=true and default_realm=X. Do I | need anything specific or current krb5 can obtain everything | it needs from the DNS? DNS is fine. That's how I run. Make sure that the appropriate SRV records are in DNS though. | 4) Do I need to do the ktpass thing at the windows DC? Nope. It is all handled by the AD trusts. Hope this helps. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCy9eZIR7qMdg1EfYRAqisAJ9rX1cPqnc6nFsiaOrWlzdpySPThgCg5Sr8 WYhFbq5OfcZc37LNf/Nva+U= =ESfW -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Questions regarding ADS
Thanks Jerry, that 's very useful information. The particular problem I am facing is that when samba tries to connect to another domain, kerberos can 't find the principal, as in this example: libads/sasl.c:ads_sasl_spnego_bind(211) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] libsmb/clikrb5.c:ads_krb5_mk_req(389) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Server not found in Kerberos database) nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain SIDERAR failed: Server not found in Kerberos database What I understand is that the principal sarswdc3$ doesn 't exist. If I try to kinit [EMAIL PROTECTED] it consecuentelly fails. The thing I don 't understand is why if I kinit [EMAIL PROTECTED] (note the abscense of the dollar sign) it finds it (I mean, it prompts for a password). Any ideas I can try or anything further I can watch? Best regards, Martin -- Martin arpon Original Message: - From: Gerald (Jerry) Carter [EMAIL PROTECTED] Date: Wed, 06 Jul 2005 08:07:38 -0500 To: [EMAIL PROTECTED], samba@lists.samba.org Subject: Re: [Samba] Questions regarding ADS [EMAIL PROTECTED] wrote: | I 've spent the last week troubleshooting a configuration issue regarding | samba not being able to connect to other domains beside the domain of which | it 's a member server (samba 3.0.14a, krb 1.3.6, w2k). | | I have some doubts perhaps someone can answer... | | Suppose this scenario: | | Samba name : SAMBA | Main domain: DOMAINA (domain controller = DCA) | Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC) | | | 1) When samba tries to connect via kerberos to others | domains, which principal is supposed to use? I 'd think | it is [EMAIL PROTECTED] What I see is that it first connects | via LDAP using this machine account but then tries to connect | via kerberos with [EMAIL PROTECTED] or [EMAIL PROTECTED] Is this | correct or I am not understanding the logfiles correctly? It should be obtaining a service for [EMAIL PROTECTED] That's probably what you are seeing. | 2) Is wbinfo --set-auth-user still needed? I 'm not using | it because I read somewhere that with 3.0+ is not needed | anymore. Generally it is not needed. Certainly not when all the domains are AD and the Samba host is configured with 'security = ads'. | 3) My krb5.conf doesn 't contain any references to | servers. All it contains is dns_lookup_realm=true, | dns_lookup_kdc=true and default_realm=X. Do I | need anything specific or current krb5 can obtain everything | it needs from the DNS? DNS is fine. That's how I run. Make sure that the appropriate SRV records are in DNS though. | 4) Do I need to do the ktpass thing at the windows DC? Nope. It is all handled by the AD trusts. Hope this helps. cheers, jerry mail2web - Check your email from the web at http://mail2web.com/ . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Questions regarding ADS
I 've spent the last week troubleshooting a configuration issue regarding samba not being able to connect to other domains beside the domain of which it 's a member server (samba 3.0.14a, krb 1.3.6, w2k). I have some doubts perhaps someone can answer... Suppose this scenario: Samba name : SAMBA Main domain: DOMAINA (domain controller = DCA) Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC) 1) When samba tries to connect via kerberos to others domains, which principal is supposed to use? I 'd think it is [EMAIL PROTECTED] What I see is that it first connects via LDAP using this machine account but then tries to connect via kerberos with [EMAIL PROTECTED] or [EMAIL PROTECTED] Is this correct or I am not understanding the logfiles correctly? 2) Is wbinfo --set-auth-user still needed? I 'm not using it because I read somewhere that with 3.0+ is not needed anymore. 3) My krb5.conf doesn 't contain any references to servers. All it contains is dns_lookup_realm=true, dns_lookup_kdc=true and default_realm=X. Do I need anything specific or current krb5 can obtain everything it needs from the DNS? 4) Do I need to do the ktpass thing at the windows DC? Documentation doesn 't say I should, but I keep reading in the web examples of importing the data into the keytab. Thanks. I 've already posted some days my log files trying to find some specific help but probable my post was too unnecesary complicated. Perhaps if anyone can answer this more-generic questions I can advance a step in the resolution of the problem. Regards, Martin mail2web - Check your email from the web at http://mail2web.com/ . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
