samba - Mar 2009 - Can SAMBA make a kerberos keytab on Solaris 10?

Hi Samba people!

	I'm trying to use SAMBA (the version included with Solaris 10) with  
an AD.

	NET ADS JOIN works like a charm to create a computer object in the AD  
for the solaris machine, and SAMBA users are authenticating without a  
problem.  This is good.  HOWEVER -- I also need other protocols  
(including ssh and Xinet KA-Share) to authenticate users.

	As I understand it, SAMBA uses kerberos to authenticate against AD,  
so as long as everyone is using the same keytab file, I'd expect all  
to be well.  However, I find that when I do net ads join it doesn't  
create or modify a keytab file that I can find.  I have use kerberos  
keytab = true in my smb.conf file, but I can't see that it actually  
does anything.

	Can anyone steer me in the right direction here?  I've been chasing  
this for over a month.

--Rob

Hi Edward,

	Thanks for the link.  Creating a computer account & keytab on the  
Windows side and copying it back to the Solaris works for my other  
services (ssh, etc.) but net ads join clobbers the existing account  
and creates a new one which no longer matches the keytab.  Is there a  
way to get samba / net ads join to just use the existing kerberos  
setup / keytab and NOT try to create a new account?

--Rob

On Mar 18, 2009, at 4:56 PM, Edward Irvine wrote:
> Rob,
>
>
>> Hi Samba people!
>>
>> 	I'm trying to use SAMBA (the version included with Solaris 10)  
>> with an AD.
>>
>> 	NET ADS JOIN works like a charm to create a computer object in the  
>> AD for the solaris machine, and SAMBA users are authenticating  
>> without a problem.  This is good.  HOWEVER -- I also need other  
>> protocols (including ssh and Xinet KA-Share) to authenticate users.
>>
>> 	As I understand it, SAMBA uses kerberos to authenticate against  
>> AD, so as long as everyone is using the same keytab file, I'd  
>> expect all to be well.  However, I find that when I do net ads join  
>> it doesn't create or modify a keytab file that I can find.  I have
>> use kerberos keytab = true in my smb.conf file, but I can't see  
>> that it actually does anything.
>>
>> 	Can anyone steer me in the right direction here?  I've been  
>> chasing this for over a month.
>>
>
> The following is a little dated. But see the section in
http://users.tpg.com.au/adsl95uc/gssapi-sol10/
>  that refers to "Windows Active Directory". This is how you get a
> vailid /etc/krb5/krb5.keytab file onto your Solaris machine.
>
> Not that you don't *have* to have a krb5.keytab file on your Solaris  
> Servers to authenticate users, unless you want to do single sign on.
>
> If you just want to have same sign on (same username, same password)  
> then all the PAM stack needs is a correctly configured /etc/krb5/ 
> krb5.conf file.
>
> There is a section about building your own PAM/OpenSSH/Kerberos  
> stack which you may be able to ignore.
>
>> --Rob
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>