samba - Oct 2009 - Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?

Hi folks,

In a scenerio where you are just joining samba to an existing windows 2003
AD as a member server, I have been told that in some unknown/unsubscribed
conditions you need to manually need to set up kerberos and use kinit
before joining the active directory with net ads join.

I think this is untrue personally because from what I understand about
samba joining a domain, is that samba/winbind/net ads join command
automatically uses kerberos libraries to autogenerate its tickets upon a
successful domain join.
Additionally AFAIK tickets are refreshed by winbind automatically so you
really never need to run kinit or set up krb5.conf if you use samba to join
the AD as a domain member server.

Could someone please clarify this so I can make this myth go away? Could I
be wrong? Is there a special circumstance where this applies that i dont
know about? Some magic non default active directory configuration that
insists kerberos be set up differently than samba can muster to do
automatically??


Thanks!
-Clayton

I beleive that if you are using msDNS in some fashion (as your DNS or
delegated domain) or have something like Bind updated with the SVR records
for the AD domain, then there is little configuration needed in krb5.conf as
the libraries will query DNS for a KDC. If your DNS is not set-up with the
SVR records then you will need to enter the domain and KDC information in
krb5.conf. We have a delegated AD domain from Bind and I used to enter all
the info in krb5.conf, I then started taking stuff out until I got to an
empty krb5.conf file and it still worked. Our krb5.conf does have a few
lines for options that we override the defaults, but they are not needed.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


On Wed, Oct 14, 2009 at 5:03 PM, <admin at ateamonsite.com> wrote:
> Hi folks,
>
> In a scenerio where you are just joining samba to an existing windows 2003
> AD as a member server, I have been told that in some unknown/unsubscribed
> conditions you need to manually need to set up kerberos and use kinit
> before joining the active directory with net ads join.
>
> I think this is untrue personally because from what I understand about
> samba joining a domain, is that samba/winbind/net ads join command
> automatically uses kerberos libraries to autogenerate its tickets upon a
> successful domain join.
> Additionally AFAIK tickets are refreshed by winbind automatically so you
> really never need to run kinit or set up krb5.conf if you use samba to join
> the AD as a domain member server.
>
> Could someone please clarify this so I can make this myth go away? Could I
> be wrong? Is there a special circumstance where this applies that i dont
> know about? Some magic non default active directory configuration that
> insists kerberos be set up differently than samba can muster to do
> automatically??
>
>
> Thanks!
> -Clayton
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

?
----- Original Message ----
From: Robert LeBlanc <robert at leblancnet.us>
To: admin at ateamonsite.com
Cc: samba at lists.samba.org
Sent: Wed, October 14, 2009 11:54:11 PM
Subject: Re: [Samba] Is it EVER needed to set up kerberos manually if you use
samba to join an ADS domain as a domain member?

I beleive that if you are using msDNS in some fashion (as your DNS or
delegated domain) or have something like Bind updated with the SVR records
for the AD domain, then there is little configuration needed in krb5.conf as
the libraries will query DNS for a KDC. If your DNS is not set-up with the
SVR records then you will need to enter the domain and KDC information in
krb5.conf. We have a delegated AD domain from Bind and I used to enter all
the info in krb5.conf, I then started taking stuff out until I got to an
empty krb5.conf file and it still worked. Our krb5.conf does have a few
lines for options that we override the defaults, but they are not needed.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


On Wed, Oct 14, 2009 at 5:03 PM, <admin at ateamonsite.com> wrote:
> Hi folks,
>
> In a scenerio where you are just joining samba to an existing windows 2003
> AD as a member server, I have been told that in some unknown/unsubscribed
> conditions you need to manually need to set up kerberos and use kinit
> before joining the active directory with net ads join.
>
> I think this is untrue personally because from what I understand about
> samba joining a domain, is that samba/winbind/net ads join command
> automatically uses kerberos libraries to autogenerate its tickets upon a
> successful domain join.
> Additionally AFAIK tickets are refreshed by winbind automatically so you
> really never need to run kinit or set up krb5.conf if you use samba to join
> the AD as a domain member server.
>
> Could someone please clarify this so I can make this myth go away? Could I
> be wrong? Is there a special circumstance where this applies that i dont
> know about? Some magic non default active directory configuration that
> insists kerberos be set up differently than samba can muster to do
> automatically??
>
>
> Thanks!
> -Clayton
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:? https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba


I found out that in order for the idmap_ad to be able to pull in the rfc2307
attributes, you need to have the krb5,conf setup.? Auth was working fine, but
without the krb5.conf, that was all that was working.

http://lists.samba.org/archive/samba/2009-October/151144.html