samba - Jun 2005 - Kerberos requirements for Samba and AD Membership

Hello. I currently have Samba running on AIX and joined to an NT4
domain. I need to change this membership to new Active Directory
domain. Yes, it is running in Native Mode. I understand that Kerberos
is *the* requirement to make this work. Are there any special Kerberos
versions, configuration options, etc. that are required?

The Official Samba-3 HOWTO and Reference Guide (Terpstra and Vernooij)
says on page 75 in the Samba ADS Domain Membership section, "A
familiarity with Kerberos is assumed." That's fine but, since I am not
the sysadmin, I need to learn these requirements and communicate them
to him.

The only requirement I have is that our AIX system joins the AD as a
client. I am NOT trying to configure Samba as a DC or anything like
that.

Thanks a million! 

Andrew

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andy Pierce wrote:

| Hello. I currently have Samba running on AIX and
| joined to an NT4 domain. I need to change this
| membership to new Active Directory domain. Yes, it
| is running in Native Mode. I understand that Kerberos
| is *the* requirement to make this work. Are there
| any special Kerberos versions, configuration
| options, etc. that are required?

native mode only means no NT4 BDCs.  You can still
run 'security = domain' with native mode AD.

But if you want kerberos, make sure you have
current MIT or heimdal libs and OpenLDAP 2.2.x
client libraries.  Samba will need to link
against these.

Beyond this, there is a lot of existing documentation
on configuring Samba as member server.






cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCpwifIR7qMdg1EfYRAmmMAJ4s66ao4kkTJkUmMPdeKRFck84vOQCdG5T4
cbchnQLkb4eo2p7yMUW6sTY=YerA
-----END PGP SIGNATURE-----

The short answer:

Use Kerberos 1.3.3 or greater and you should be fine.  Use "kinit
user@ad.domain" to verify that Kerberos is basically working, then
"net
join ads -U user@ad.domain" to join the domain.  For me, it worked best
to create the machine account with AD administrator tool before I joined
the domain (partly because the AD domain admin refused to delegate the
authority to create accounts).

I expect that http://us3.samba.org/samba/docs/man/Samba-HOWTO-
Collection/domain-member.html#ads-member is the page 75 that you
mentioned, and that covers the steps reasonably well.

The long answer:

I found this page from Microsoft helpful:
http://support.microsoft.com/default.aspx?scid=kb;en-us;296842 .
Microsoft basically supports 3 encryption types: 
?
RC4-HMAC
?
DES-CBC-MD5
?
DES-CBC-CRC

However, note that "support for DES-CBC-CRC ... is primarily for MIT
Kerberos interoperability",  and "You cannot configure a Windows 2000-
based client to request a TGT by using the DES-CBC-CRC encryption type."
which means that in practice DES-CBC-CRC doesn't work.  (MIT Kerberos
1.2.x supports only DES3-HMAC-SHA1 and DES-CBC-CRC.  Although DES-CBC-
CRC is on both lists, it doesn't work.)

What this means is that your Kerberos version should support the RC4-
HMAC encryption type, which is Microsoft's default.  (MIT Kerberos 1.3.x
does.  I don't know much about Hemidal, but it should too.)   A tool
called klist will tell you what tickets you have, and you can also get
klist for Windows clients, to see what ticket types your domain is using
(also, a tool called Kerbtray, in the windows 2000 resource kit.)

You shouldn't have to configure anything special in your krb5.conf,
although I added a realms section to mine, to specify nearby domain
controllers for our global domains.


Regards,

Gordon



On Wed, 2005-06-08 at 09:48 -0400, Andy Pierce wrote: 
> Hello. I currently have Samba running on AIX and joined to an NT4
> domain. I need to change this membership to new Active Directory
> domain. Yes, it is running in Native Mode. I understand that Kerberos
> is *the* requirement to make this work. Are there any special Kerberos
> versions, configuration options, etc. that are required?
> 
> The Official Samba-3 HOWTO and Reference Guide (Terpstra and Vernooij)
> says on page 75 in the Samba ADS Domain Membership section, "A
> familiarity with Kerberos is assumed." That's fine but, since I am
not
> the sysadmin, I need to learn these requirements and communicate them
> to him.
> 
> The only requirement I have is that our AIX system joins the AD as a
> client. I am NOT trying to configure Samba as a DC or anything like
> that.
> 
> Thanks a million! 
> 
> Andrew