I can't connect workstation to samba DC configured on Orion platform
(armel arch) with installed Debian Stretch (packages are fully updated to newest avaliable versions).
net ads join -U administrator -d10 lead me to error:
kerberos_kinit_password: as administrator@AD.ROWEROWANORKA.PL using
[MEMORY:libnet_join_user_creds] as ccache and config
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gss_init_sec_context failed with [ Miscellaneous failure (see text):
Server (ldap/dc1.ad.rowerowanorka.pl@AD.ROWEROWANORKA.PL) unknown]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
Wiresharked Kerberos transmission gave me another level of debug:
AS-REQ: cname: KRB5-NT-PRINCIPAL: administrator, REAL:
AD.ROWEROWANORKA.PL sname: KRB5-NT-SRV_INST krbtgt, AD.ROWEROWANORKA.PL
AS-REP: NT Status: Unknown error code 0x522e4441
TGS-REQ for KRB5-NT-PRINCIPAL: ldap dc1.ad.rowerowanorka.pl
KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
What I checked:
- clean samba tdb,ldb files and smb.conf/krb5.conf according to
samba.org manual for preparing to install DC. Promote DC controller again. Problem with connect
workstation to samba DC on armel arch persists.
- I installed samba DC on amd64 architecture and successfully connect workstation
Andrew, any idea?
Can the TS post the configs of both server also.
There are some additional infos at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918432#27 (including a network capture).
> When I analyzing Wireshark dump I found something strange. Kerberos
> "NT Status Error" is a part of string "AD.ROWEROWANORKA.PL" what is
> Kerberos REALM name.