Axel Suppantschitsch
2003-Oct-02 09:28 UTC
[Samba] "net ads join" Kerberos credentials only after "kinit"?
According to the latest version of the Samba Documentation there are three major steps to add a samba server as member server to an ADS: 1.) Configure samba correctly to use ADS (smb.conf). 2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf). 3.) Join the samba server with "net ads join -U Administrator". Well, all this sounds good, but it definetly doesn't work, you won't have any kerberos tickets in your credentials cache after this process. So either the samba documentation is incomplete, or there is a bug in samba. Anyway, it seems that I found a workable solution: I use Samba 3.0.0 release. I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal). I tested this with Windows 2000 and Windows 2003 Servers. It worked on both. 1.) Do a "kinit Administrator@EXAMPLE.COM". This will get you initial kerberos credentials. It is essential to get credentials _BEFORE_ step #2! 2.) Do a "net ads join". This will use your kerberos credentials from step #1 and add the samba server to your ADS domain without the need to specify a username or a password. 3.) Do a "klist" and you will see three different tickets in your kerberos credentials cache. 4.) Do a "smbclient -k \\windowsserver\share" and it should connect you without enterning username and password. At this point I ask you guys, whether this is a bug or a feature: 1.)If it is a feature the samba documentation needs to be changed in order to require valid Administrator kerberos credentials _BEFORE_ doing a "net ads join". This needs to be explicitely mentioned! 2.)If it is a bug, you know what you have to do... ;) Hope this helps all the guys out there struggeling with the same problem and asking me for help... ;) Regards, Axel.
Andrew Smith-MAGAZINES
2003-Oct-02 09:53 UTC
[Samba] "net ads join" Kerberos credentials only after "kinit"?
The purpose of "net ads join -U Administrator%password" (password is required) is not to obtain a Kerberos ticket but to create a computer account in the AD thereby setting up the trust required for other clients to authenticate to the Samba server with an AD Kerberos TGT. Use kinit from any client system, after doing the net ads join on the Samba server, to get your TGT and I think you'll find everything works as intended, thanks Andy. -----Original Message----- From: Axel Suppantschitsch [mailto:as@suit.at] Sent: 02 October 2003 10:29 To: samba@samba.org Subject: [Samba] "net ads join" Kerberos credentials only after "kinit"? According to the latest version of the Samba Documentation there are three major steps to add a samba server as member server to an ADS: 1.) Configure samba correctly to use ADS (smb.conf). 2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf). 3.) Join the samba server with "net ads join -U Administrator". Well, all this sounds good, but it definetly doesn't work, you won't have any kerberos tickets in your credentials cache after this process. So either the samba documentation is incomplete, or there is a bug in samba. Anyway, it seems that I found a workable solution: I use Samba 3.0.0 release. I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal). I tested this with Windows 2000 and Windows 2003 Servers. It worked on both. 1.) Do a "kinit Administrator@EXAMPLE.COM". This will get you initial kerberos credentials. It is essential to get credentials _BEFORE_ step #2! 2.) Do a "net ads join". This will use your kerberos credentials from step #1 and add the samba server to your ADS domain without the need to specify a username or a password. 3.) Do a "klist" and you will see three different tickets in your kerberos credentials cache. 4.) Do a "smbclient -k \\windowsserver\share" and it should connect you without enterning username and password. At this point I ask you guys, whether this is a bug or a feature: 1.)If it is a feature the samba documentation needs to be changed in order to require valid Administrator kerberos credentials _BEFORE_ doing a "net ads join". This needs to be explicitely mentioned! 2.)If it is a bug, you know what you have to do... ;) Hope this helps all the guys out there struggeling with the same problem and asking me for help... ;) Regards, Axel. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.