Hi Roger,
They did differ in one line:
[domain_realm] .ramse.ramboll-group.global.network = RAMSE.RAMBOLL-GROUP.GLOBAL.NETWORK .ramboll.ramboll-group.global.network = RAMBOLL.RAMBOLL-GROUP.GLOBAL.NETWORK
The working samba had the line that starts with .ramse. The non-working did not. .ramse is an old domain. It is now .ramboll.
I added that line to the new server (a restarted smb and nmb) but it made no difference.
no this difference couldn't be the reason for your problem. What about the lines for encryption types? What about the [libdefaults] section? Can you post them, please? As someone else wrote, there are differences (and not only a few) between the two samba and the two kerberos versions on your different systems. A very simple krb5.conf for two different AD *forests* may look like this: ------------------------< snip snip snip >----------------------------- [logging] default = FILE:/var/log/krb5/libs.log kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/kadmind.log [libdefaults] default_realm = DOMAIN1.DE dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] DOMAIN1.DE = { kdc = dc1.domain1.de kdc = dc2.domain1.de admin_server = dc1.domain1.de default_domain = domain1.de } DOMAIN2.DE = { kdc = dc1.domain2.de kdc = dc2.domain2.de admin_server = dc1.domain2.de default_domain = domain2.de } [domain_realm] .domain1.de = DOMAIN1.DE domain1.de = DOMAIN1.DE .domain2.de = DOMAIN2.DE domain2.de = DOMAIN2.DE ------------------------< snip snip snip >----------------------------- This works perfectly here with the latest samba and kerberos versions for openSuSE Leap 42.2 and Tumbleweed against an AD with forest and domain functional level set to "Windows Server 2012 R2".
I see that there is a reference to a couple of log files:
[logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON
These files do not exist. The /var/log/krb5 directory is empty.
They are not used for samba's purpose, only if you use a native Kerberos server. What happens, if you run "kinit <someuser>". Do you get a password prompt? And if you enter the password, do you get a ticket (klist)? Bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org