<div dir="ltr"><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 19, 2013 at 11:27 AM, Sumit Bose <span dir="ltr"><<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote:<br>
> hi,<br>
><br>
> while following the instructions in<br>
> <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html</a><br>

><br>
> I run step 9:<br>
><br>
> smbclient -L kdc.ipa.asenjo.nx -k<br>
> lp_load_ex: changing to config backend registry<br>
> Connection to kdc.ipa.asenjo.nx failed (Error NT_STATUS_CONNECTION_REFUSED)<br>
><br>
> I have a valid ticket:<br>
><br>
> # klist<br>
> Ticket cache: FILE:/tmp/krb5cc_0<br>
> Default principal: admin@IPA.ASENJO.NX<br>
><br>
> Valid starting     Expires            Service principal<br>
> 04/19/13 08:46:48  04/20/13 08:46:48  krbtgt/IPA.ASENJO.NX@IPA.ASENJO.NX<br>
> 04/19/13 08:56:59  04/20/13 08:46:48  HTTP/kdc.ipa.asenjo.nx@IPA.ASENJO.NX<br>
<br>
</div>did ipa-adtrust-install finished successfully?<br>
<br></blockquote><div> </div><div>yes<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Can you check if there is a cifs service:<br>
<br>
$ ipa service show cifs/kdc.ipa.asenjo.nx@IPA.ASENJO.NX<br></blockquote><div><br> # ipa service-show cifs/kdc.ipa.asenjo.nx@IPA.ASENJO.NX<br>  Principal: cifs/kdc.ipa.asenjo.nx@IPA.ASENJO.NX<br>  Keytab: True<br>  Managed by: kdc.ipa.asenjo.nx</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
the output should show 'Keytab: True'<br>
<br></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Then please check if samba knows about the keytab and it's content.<br>
<br>
$ net conf list<br>
<br>
should contain 'kerberos method = dedicated keytab' and<br>
'dedicated keytab file = FILE:/etc/samba/samba.keytab'<br>
<br></blockquote><div><br># net conf list | grep keytab<br>    kerberos method = dedicated keytab<br>    dedicated keytab file = FILE:/etc/samba/samba.keytab<br><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

$ klist -ekt /etc/samba/samba.keytab<br>
<br>
should show entries with different encryption types.<br>
Next please try to get a ticket for this service:<br>
<br>
$ kvno cifs/kdc.ipa.asenjo.nx@IPA.ASENJO.NX<br>
<br></blockquote><div><br> # kvno cifs/kdc.ipa.asenjo.nx@IPA.ASENJO.NX<br>cifs/kdc.ipa.asenjo.nx@IPA.ASENJO.NX: kvno = 1<br>[root@kdc ~]# klist <br>Ticket cache: FILE:/tmp/krb5cc_0<br>Default principal: admin@IPA.ASENJO.NX<br>
<br>Valid starting     Expires            Service principal<br>04/19/13 08:46:48  04/20/13 08:46:48  krbtgt/IPA.ASENJO.NX@IPA.ASENJO.NX<br>04/19/13 08:56:59  04/20/13 08:46:48  HTTP/kdc.ipa.asenjo.nx@IPA.ASENJO.NX<br>04/19/13 11:33:19  04/20/13 08:46:48  cifs/kdc.ipa.asenjo.nx@IPA.ASENJO.NX<br>
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
klist should now list the ticket. Please try the smbclient command<br>
agains.<br></blockquote><div><br># smbclient -L kdc.ipa.asenjo.nx -k<br>lp_load_ex: changing to config backend registry<br>Connection to kdc.ipa.asenjo.nx failed (Error NT_STATUS_CONNECTION_REFUSED)<br> </div><br></div><div class="gmail_quote">
Thanks,<br><br>-- <br></div><div class="gmail_quote">groet,<br>natxo<br></div><br></div></div>