samba - Sep 2003 - AD SAMBA Kerberos participation with other AD Kerberised services

Hi All,

	anyone else found that adding a Samba server to an AD domain appears to be
incompatible with using an AD Kerberos realm to provide other Kerberised
services such as NFS from the same UNIX host?
  Problem I have is that when you join an AD domain thorough Samba 3.x net
command this creates a computer account in the AD to which the administrator
does not know the account password. If you following MS guidelines for
configuring other UNIX Kerberised services to authenticate against a Windows
Kerberos realm (AD domain) you are instructed to use a user account not a
computer account because to generate a keytab file for your Kerberised service
you must know the password for the Kerberos/AD account.
  As you cannot have an AD computer account with the same name as an AD user
account it would seem to me that using Kerberised Samba is mutually exclusive
with providing generic Kerberised UNIX services from a single UNIX machine.
Surely this will cause many people problems if this is the case, have I missed
something?

  Microsoft instructions for creating keytabs are on this link,
 <<Microsoft TechNet AD-UNIX Kerberos integration.url>> 


	many thanks Andy.

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.

On Tue, 2003-09-30 at 21:41, Andrew Smith-MAGAZINES
wrote:
> Hi All,
> 
> anyone else found that adding a Samba server to an AD domain
> appears to be incompatible with using an AD Kerberos realm to 
> provide other Kerberised services such as NFS from the same 
> UNIX host?
> Problem I have is that when you join an AD domain thorough 
> Samba 3.x net command this creates a computer account in the 
> AD to which the administrator does not know the account password. 
> If you following MS guidelines for configuring other UNIX 
> Kerberised services to authenticate against a Windows Kerberos 
> realm (AD domain) you are instructed to use a user account not 
> a computer account because to generate a keytab file for your 
> Kerberised service you must know the password for the Kerberos/AD 
> account.
> As you cannot have an AD computer account with the same name as 
> an AD user account it would seem to me that using Kerberised 
> Samba is mutually exclusive with providing generic Kerberised 
> UNIX services from a single UNIX machine. Surely this will cause 
> many people problems if this is the case, have I missed something?
This issue is intended to be addressed - but you can find out the
(current) machine account password - just read the plaintext out of the
secrets.tdb (root-only access, naturally).  Either tdbtool, or a simple
'less' should show it.

I think there may even have been some patches flying about to fix this,
but I'm not sure...

Feel free to file a bug (if there is not one already present) into
bugzilla.samba.org

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030930/9bf024c2/attachment.bin