After net ads join, kinit fails: Client not found...

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

After net ads join, kinit fails: Client not found...

P V-2
 I'm installing Samba with Security ADS (compiled
--with-winbind --with-ads --with-ldap --with-krb5) on
Solaris 8, for connect with ActiveDirectory W2K.
  First, I created in AD Windows an account with the
same name that my solaris host and generated the
keytab with this:
C:\temp>ktpass princ host/[hidden email]
mapuser mysolarishost -pass ad_user_pwd out
file.keytab
  And add the file to /etc/krb5/krb5.keytab with
kerberos/sbin/ktutil
  I ran kinit host/[hidden email], and it
asked me for a password (ad_usr_pwd) and all right.
  Then I ran net ads join -U Administrator.
  It asked for password and sent:
Using short domain name -- DOMAINNETBIOS
Joined 'MYSOLARISHOST' to realm 'DOMAIN.COM.MX'

  After this, I ran SMB daemons. In log.smbd I get:
[2005/08/16 19:12:48, 0] smbd/server.c:main(802)
  smbd version 3.0.20rc1 started.
  Copyright Andrew Tridgell and the Samba Team
1992-2004
[2005/08/16 19:12:48, 0]
libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password
host/[hidden email] failed: Client not
found in Kerberos database

   If I run kinit host/[hidden email], I
get this message:
kinit(v5): Client not found in Kerberos database while
getting initial credentials

   So, the problem is when a run net ads join. After
that the authentication with AD W2K is broken. If I
delete the computer account in AD W2K, the kinit
command works again.

   Any idea?
 
Here my configuration files:
smb.conf:
 [global]
    workgroup = DOMAINNETBIOS
    netbios name = mysolarishost
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    security = ads
    realm = DOMAIN.COM.MX
    password server = adw2kserver.domain.com.mx
----------------------------------------------

krb5.conf:
[libdefaults]
        ticket_lifetime = 24000
        default_realm = DOMAIN.COM.MX
        default_tgs_enctypes = des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des-cbc-crc des-cbc-md5
[realms]
       DOMAIN.COM.MX = {
                kdc = adw2kserver.domain.com.mx
                kdc = otherADw2kserver.domain.com.mx
                admin_server =
ad2kserver.domain.com.mx
                default_domain = domain.com.mx
        }
[domain_realm]
        domain.com.mx = DOMAIN.COM.MX
        .domainnetbios = DOMAIN.COM.MX
        domainnetbios = DOMAIN.COM.MX
-----------------------------------------------

nsswitch:
passwd:     files winbind
group:      files winbind
hosts:      files wins
shadow:     files winbind


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos