samba - Feb 2007 - kerberos/Samba integration questions

I'm trying to integrate Samba with my kerberos configuration on Solaris 10 
(with Samba 3.0.23d) and I have one basic issue - probably I don't 
understand something. Hopefully one of you experts can help.

We have an AD based organization but we do a lot of Unix work on Solaris 10 
and AIX 5.3 - I have about 75 *nix servers of various flavors. There's a lot
of value in SSO solutions/credential consolidation to us, but we're a small 
organization.

I have a functional Solaris configuration talking LDAP to AD, using kerberos 
for password authentication, successfully pulling UID/GID from SFU on Server 
2003 R2. LDAP mapping using the built in LDAP client in Solaris 10 works 
smoothly; getent returns everything it should. kerberos versions of telnet 
etc all work fine and forward credentials. This config uses the pam_krb5 
module, not winbind and uses ldap in the nssswitch.conf

Alternatively, I can not run the kinit -k for the host, leave out the 
krb5.keytab (and of course fix all the SPN information in AD from the above 
configuration) and configure Samba in AD mode and it properly joins the 
domain. User names get mapped properly. File access through samba works.

What I can't seem to figure out how to do is have a functional kerberos 
configuration with a keytab entry at the same time I have samba working - 
Samba wants to join the domain using a machine account and assigns the 
principal host/hostname.myorg.com and I don't see any way of getting that 
same information exported into the krb5.keytab so I can run kinit -k to get 
the proper host credentials. And I need the same host/hostname.myorg.com 
principal to be set on the account that is mapped to the system.

AD isn't terribly happy about using a machine account anyway to configure 
kerberos, at least not on Solaris - it works much better to use a user 
account and then set the principal with the ktpass utility on the windows 
DC.

It seems that conceptually what I need is to be able to set the samba 
created information as the keytab entry, but I haven't the faintest idea how
to do that.

I tried setting the verify_ap_req_nofail = false value in the krb5.conf file 
to keep it from requiring a host entry, but that didn't seem to make any 
difference.

I suppose what I'd really like to do is be able to manually export the 
keytab from AD using ktpass and use the SAME information for both the OS 
controlled kerberos based services as well as for Samba. Or alternatively be 
able to point my krb5.conf file to a samba controlled keytab entry for 
host/hostname.myorg.com

Any ideas are appreciated.

For all interested:

Adding the following to the global config section and rejoining the domain 
caused samba to fill my krb5.keytab file for me! I'm still working on some 
minor issues with winbind and the ad sfu integration, but this was my big 
missing item.

use kerberos keytab = Yes

Thanks to the folks that responded and got me pointed the right way!

"Jon Allingham" <jallingham@leapstone.com> wrote in message 
news:eq8dsj$tcd$1@sea.gmane.org...
> I'm trying to integrate Samba with my kerberos configuration on Solaris
10
> (with Samba 3.0.23d) and I have one basic issue - probably I don't 
> understand something. Hopefully one of you experts can help.
>
> We have an AD based organization but we do a lot of Unix work on Solaris 
> 10 and AIX 5.3 - I have about 75 *nix servers of various flavors.
There's
> a lot of value in SSO solutions/credential consolidation to us, but
we're
> a small organization.
>
> I have a functional Solaris configuration talking LDAP to AD, using 
> kerberos for password authentication, successfully pulling UID/GID from 
> SFU on Server 2003 R2. LDAP mapping using the built in LDAP client in 
> Solaris 10 works smoothly; getent returns everything it should. kerberos 
> versions of telnet etc all work fine and forward credentials. This config 
> uses the pam_krb5 module, not winbind and uses ldap in the nssswitch.conf
>
> Alternatively, I can not run the kinit -k for the host, leave out the 
> krb5.keytab (and of course fix all the SPN information in AD from the 
> above configuration) and configure Samba in AD mode and it properly joins 
> the domain. User names get mapped properly. File access through samba 
> works.
>
> What I can't seem to figure out how to do is have a functional kerberos
> configuration with a keytab entry at the same time I have samba working - 
> Samba wants to join the domain using a machine account and assigns the 
> principal host/hostname.myorg.com and I don't see any way of getting
that
> same information exported into the krb5.keytab so I can run kinit -k to 
> get the proper host credentials. And I need the same 
> host/hostname.myorg.com principal to be set on the account that is mapped 
> to the system.
>
> AD isn't terribly happy about using a machine account anyway to
configure
> kerberos, at least not on Solaris - it works much better to use a user 
> account and then set the principal with the ktpass utility on the windows 
> DC.
>
> It seems that conceptually what I need is to be able to set the samba 
> created information as the keytab entry, but I haven't the faintest
idea
> how to do that.
>
> I tried setting the verify_ap_req_nofail = false value in the krb5.conf 
> file to keep it from requiring a host entry, but that didn't seem to
make
> any difference.
>
> I suppose what I'd really like to do is be able to manually export the 
> keytab from AD using ktpass and use the SAME information for both the OS 
> controlled kerberos based services as well as for Samba. Or alternatively 
> be able to point my krb5.conf file to a samba controlled keytab entry for 
> host/hostname.myorg.com
>
> Any ideas are appreciated.
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>