Manualshelf

HP CIFS Server and Kerberos

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
101102103104105106107108109110
106
Do not do this when smb.conf is “security = ads”.
Samba requires a particular value in a directory computer attribute called UserAccountControl in order
to correctly implement Kerberos for Samba. The “net ads join” command inserts the correct value
into this attribute. The Windows MMC inserts an incorrect value into this attribute. All further
Kerberos authentication attempts will fail, resulting in the bad-password pop-up.
Resolution-3
Delete the computer object from the domain (“net ads leave”) and add the computer correctly using
“net ads join –U username”.
Symptom-4
The “net ads join –U administrator” fails with a log message:
spnego_gen_negTokenTarg failed: Clock skew too great
failed kerberos session setup with Clock skew too great
ads_krb5_mk_req: krb5_get_credentials failed for hpatcwin2k4$@HPATC2003.HP.COM (Clock skew too great)
OR
During a client logon the bad-password popup appears, and the logfile shows the clock skew message
from above.
OR