testjoin happy but kerberos broken

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi there

I've got a problem CentOS-4.9 Samba server that we have never been able
to join to an existing Win2K3/Win2K8 AD domain correctly. We have before
and since installed Samba successfully on other sites btw. We actually
have 55+ CentOs-4.9 Samba servers world-wide with identical configs -
there's something about this one.

Anyway, "net ads join -Uadmininstrator...." works mostly - but we
continually get

Using short domain name -- DOM
Joined 'HOST-01' to realm 'dom.ain'
[2012/04/14 05:04:15.150928,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password HOST-01$@DOM.AIN failed: Preauthentication failed

You can see Samba says it joined - but it's followed by this kerberos
error. No errors show up in the eventlogs of the DCs (but I do see the
login event), "net ads testjoin" says OK - but no-one can connect to the
shares. Even "wbinfo -u" is weird - it shows the users from *some* of
the trusted domains - but none from the domain the server is a member
of!!! To confirm: "id dom\user" returns "no such user" for any valid
username in the domain that it is a member of. I can kinit user@DOM just
fine and can connect to Windows servers - but I get a kerberos error
when attempting to connect to this Samba server - and as expected it's
unhappy because it can't find the user

I have tried this with several 3.5 releases - including 3.5.14, and have
tried it with 3.6.X too - nothing seems to work. I have used "-S" to
join the domain via DCs in other sites (in case there was some issue
with the local DC) - but it should go without saying that no Windows
client is having any issues - it's just Samba

Any ideas where to look next? The local DC isn't a RODC either (although
it used to be - I forced the Windows guys to upgraded it to a full DC in
an attempt to fix this problem - didn't help)

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Linux]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [Internet Dating Forums]     [RAID]     [Yosemite News]     [Photography]

Add to Google Powered by Linux