Created attachment 7630 [details] I've tried various versions of realm/kdc being true/false. I have been having issues getting kerberos tickets for users stored in a keytab file. This issue only occurs when Samba4 is joined to a Windows Server 2008 R2 domain. If the server is provisioned normally, or joined to a Windows 2003 R2 domain, this problem does not occur. I've also tried a normal provision, and then raised the domain and forest to a 2008R2 level, and that does not cause the issue either. Below is a list of information and steps I used to reproduce the Issue Linux Server OS: Ubuntu 12.04 Samba Versions: Alpha 17, Alpha 21, and GIT 01106230ddc8da90e2ff2667dd3702e3c110f720 from Monday, June 4, 2012. Windows Version: Windows Server 2008 R2 Domain and Forest Level: 2008R2 Domain Name: testdom.lan Short Name: testdom Windows Server: 10.0.5.1 winsvr Linux Server: 10.0.5.2 ubuntu Steps to reproduce: 1) Install Windows Server 2008R2, and provision a new domain with a 2008R2 forest and domain level 2) Install Samba4 on a linux server, using one of the versions listed above 3) Set up /etc/resolve.conf to point to the windows server. Configure hosts so the ubuntu server has a properly configured FQDN 4) Configure the /etc/krb5.conf according to https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC 5) Join samba to the windows domain using: bin/samba-tool domain join testdom.lan DC -Uadministrator --realm=testdom.lan 6) Run KCC on the windows server: bin/samba-tool drs kcc -UAdministrator winsvr 7) Check replication with: bin/samba-tool drs showrepl 8) Create a user to authenticate. I'm going to use the dns update user in this example: bin/samba-tool user create dns-ubuntu Dnspw123 9) Create secrets ldiff file (see below), and import it with: bin/ldbadd -H private/secrets.ldb /tmp/secret.ldiff 10) Run kinit dns-ubuntu to make sure the user was created and can be authenticated 11) Try getting a kerberos ticket using the keytab created by adding an entry to the secrets.ldb file: kinit -k -t private/dns.keytab dns-ubuntu At this point, kinit gives the error "kinit: Preauthentication failed while getting initial credentials". If I had used a windows 2008 server for this process, this command succeeds. If I were to export the domain keytab with samba-tool domain exportkeytab, I can authenticate the dns-ubuntu user. This seems to be a pretty consistent and repeatable behavior. I've tried it with many small configurations tweaks, multiple window servers, etc... Below are some of the files I used. This seems to be the only issue, replication is working, computers can join to the domain, users can authenticate, DNS updates work, etc...
Created attachment 7631 [details] This is the file I used to add the dns-ubuntu entry to the secretds.ldb file
Created attachment 7632 [details] smb.conf file for the test provision. I didn't make any manual edits to this file.