On Tue, 2021-10-05 at 13:36 -0400, Rob Campbell wrote:> Miscommunication. When I say join a domain, I mean joining a
> workstation to the domain, not another DC. I want to eventually use
> the graphical login but figured the command line would give me more
> information on failures.
OK, so you want to run Samba as a Unix domain member, so can you post
the smb.conf that you are using, the one you posted was for a DC being
used as a fileserver.
>
>
>
> The actual login does exist, I created it with 'samba-tool user add
> username'. I've also tried 'samba-tool user create username
--user-
> username-as-cn --surname="Last" --given-name-"First"
--initials=FML
> --mail-address=fml at yahoo.com --profile-path=\\\\test-
> server.lan\\profiles\\username'
>
> There seems to be intermittent issues. Sometimes it doesn't even
> prompt for password. Other times, it doesn't accept the password.
> And sometimes it works.
>
>
There seems to be something wrong, somewhere:
adminuser at dmtest:~$ kinit administrator
Password for administrator at SAMDOM.EXAMPLE.COM:
adminuser at dmtest:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator at SAMDOM.EXAMPLE.COM
Valid starting Expires Service principal
05/10/21 18:53:15 06/10/21 04:53:15
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
renew until 06/10/21 18:53:06>
>
> FYI:
> When I read
> Samba provides experimental support for the MIT Kerberos KDC provided
> by your operating system if you run Samba 4.7 or later and has been
> built using the --with-system-mitkrb5 option. In other cases Samba
> uses the Heimdal KDC included in Samba.
If you use the fedora Samba packages to create a Samba AD DC, then you
will be using MIT for the KDC, but a Unix client can use either the MIT
or Heimdal tools.
>
> I read that to mean if you don't build Samba AND you didn't build
it
> with --with-system-mitkrb5, Samba uses Heimdal KDC (which is my
> scenario). Maybe there could be an option you could use to determine
> which is being used, similar to 'samba -b' if knowing which you
have
> is important.
There is a way of knowing. If the distro is based on Debian, it will
use Heimdal for a Samba DC, if it is Fedora based, it will use MIT, (I
believe Suse is the same), and finally you cannot provision a Samba AD
domain with RHEL packages, this includes all the compatible RHEL
distros.
Rowland