When trying to join a 3.6.0rc1 Samba to an Win2k8r2 AD DC using an existing kerberos ticket, net fails to pick up the user's kerberos credentials. The following related settings and commands reproduce this for me reliably: krb5.conf: [libdefaults] default_realm = DEMO.HOME.KBLIN.ORG smb.conf: [global] realm = DEMO.HOME.KBLIN.ORG workgroup = DEMO security = ADS idmap config * : backend = tdb As root, I ran: # export KRB5CCNAME=/tmp/ticket # kinit Administrator <enter password> # net ads join -k Failed to join domain: failed to lookup DC info for domain 'DEMO.HOME.KBLIN.ORG' over rpc: Logon failure Looking at the attched debuglevel 10 log, it seems like the client just tries to negotiate NTLMSSP as "root", instead of using the "Administrator" kerberos ticket. Joining using net ads join -Uadministrator%password works just fine.
Important to fix, but not (IMHO) a blocker :-). Jeremy.
Fair enough. gd asked me to file a block bug. :) Let's try to get it fixed, then this distinction doesn't matter.
Created attachment 6461 [details] net ads join -k -d10 output Hm, somehow the attachement didn't work on the first try. Here it is again.
Created attachment 6466 [details] git-am fix for 3.6.0 Allow us to use a fallback when the krb5.conf can't map dns names to realms. Jeremy.
Comment on attachment 6466 [details] git-am fix for 3.6.0 Fixes the realm lookup for me.
Reassigning to Karolin.
Pushed to v3-6-test. Closing out bug report. Thanks!
This needs to be in v3-5-test as well. Patch was fully acked and the patch can be easily cherrypicked. Karolin, please add to 3.5.x.
(In reply to comment #8) > This needs to be in v3-5-test as well. > > Patch was fully acked and the patch can be easily cherrypicked. > > Karolin, please add to 3.5.x. Pushed to v3-5-test also. Closing out bug report. Thanks!