Hi Edward,
Thanks for the link. Creating a computer account & keytab on the
Windows side and copying it back to the Solaris works for my other
services (ssh, etc.) but net ads join clobbers the existing account
and creates a new one which no longer matches the keytab. Is there a
way to get samba / net ads join to just use the existing kerberos
setup / keytab and NOT try to create a new account?
--Rob
On Mar 18, 2009, at 4:56 PM, Edward Irvine wrote:
> Rob,
>
>
>> Hi Samba people!
>>
>> I'm trying to use SAMBA (the version included with Solaris 10)
>> with an AD.
>>
>> NET ADS JOIN works like a charm to create a computer object in the
>> AD for the solaris machine, and SAMBA users are authenticating
>> without a problem. This is good. HOWEVER -- I also need other
>> protocols (including ssh and Xinet KA-Share) to authenticate users.
>>
>> As I understand it, SAMBA uses kerberos to authenticate against
>> AD, so as long as everyone is using the same keytab file, I'd
>> expect all to be well. However, I find that when I do net ads join
>> it doesn't create or modify a keytab file that I can find. I have
>> use kerberos keytab = true in my smb.conf file, but I can't see
>> that it actually does anything.
>>
>> Can anyone steer me in the right direction here? I've been
>> chasing this for over a month.
>>
>
> The following is a little dated. But see the section in
http://users.tpg.com.au/adsl95uc/gssapi-sol10/
> that refers to "Windows Active Directory". This is how you get a
> vailid /etc/krb5/krb5.keytab file onto your Solaris machine.
>
> Not that you don't *have* to have a krb5.keytab file on your Solaris
> Servers to authenticate users, unless you want to do single sign on.
>
> If you just want to have same sign on (same username, same password)
> then all the PAM stack needs is a correctly configured /etc/krb5/
> krb5.conf file.
>
> There is a section about building your own PAM/OpenSSH/Kerberos
> stack which you may be able to ignore.
>
>> --Rob
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>