On 8 March 2017 at 14:59, Sumit Bose <sbose(a)redhat.com> wrote:
> On Wed, Mar 08, 2017 at 02:09:09PM +0000, John Beranek wrote:
>> On 8 March 2017 at 13:40, Mote, Todd <moter(a)austin.utexas.edu> wrote:
>> > Does on my rhel 6 boxes. I'm not in front of a computer at the moment,
but
>> > there is a log where you can see it. Sssd_domain.log I think. I'll
look
>> > when I get to work and let you know. Might search the list archive too
I'm
>> > pretty sure I asked about it when adcli was still in the .7’s.
>>
>> Hmm, just reading a list thread from September 2016 where it's
>> suggested that adcli doesn't get on well with Samba,entitled "samba
>> 4.2.11, 4.2.14 and sssd?"
http://bit.ly/2n60x4r
>>
>> I wonder if having adcli installed, but using "net ads join" to join
>> the domain is still troublesome...
>
> Maybe adcli does not lead to the expected result because you use
> 'kerberos method = secrets and keytab'. adcli can only update the keytab
> but not the host password stored in Samba's secrets.tdb. So chances are
> that even if the keys in the keytab are updated Samba will still use the
> old one from secrets.tdb. Have you tried to use 'kerberos method =
> system keytab'?
Thanks Sumit, no change with just the config change, would I need to
clear out the Samba database after the change?
Getting the following, which may answer that question:
[2017/03/08 16:04:56.947025, 0] libads/kerberos_util.c:101(ads_kinit_password)
kerberos_kinit_password SERVER$(a)EXAMPLE.COM failed: Preauthentication failed
[2017/03/08 16:04:56.947192, 3]
printing/nt_printing_ads.c:639(check_published_printers)
ads_connect failed: Preauthentication failed
John
--
John Beranek To generalise is to be an idiot.