On Tue, 2021-05-11 at 21:02 -0400, Ron Murray via samba
wrote:> I've been running Samba at home now for at least 20 years. With the
> discovery that Windows 10 won't do NT4 networks, I figured that I
> might
> as well upgrade to AD, since Samba can now be an AD domain
> controller.
>
> I've been running (MIT) Kerberos for almost that long as well (it's
> handy for authenticating to servers), and at first I was discouraged
> by
> Samba's insistence on Heimdal Kerberos. Eventually, I switched, and
> got
> that (mostly) working.
>
> Then I started to install Samba AD, and discovered that Samba seems
> to
> have an inbuilt KDC. Is this correct? Should I be running Samba's
> inbuilt Kerberos instead? I can't find anything in the documentation
> mentioning using a pre-existing Kerberos.
Yes, the reason we don't have anything about using a pre-existing
Kerberos is that it isn't possible. We need to provide the backend DB
to the KDC, so that it matches all the other protocols and includes the
PAC etc.
> Anyway, I limped along, installed as best I could, disabled Samba's
> kdc
> in smb.conf, but my heimdal-kdc .log keeps giving errors like
>
> Looking for ENC-TS pa-data -- COMPUTER$@EXAMPLE.COM
>
> where "COMPUTER" is my KDC/AD controller.
>
> Perhaps I missed something in the instructions, because there's
> obviously no such entry in my Kerberos database. Is this because I
> should be using Samba's KDC, or is it something else?
Yes, you need Samba's KDC.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions