admin at ateamonsite.com
2009-Oct-14 23:03 UTC
[Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?
Hi folks, In a scenerio where you are just joining samba to an existing windows 2003 AD as a member server, I have been told that in some unknown/unsubscribed conditions you need to manually need to set up kerberos and use kinit before joining the active directory with net ads join. I think this is untrue personally because from what I understand about samba joining a domain, is that samba/winbind/net ads join command automatically uses kerberos libraries to autogenerate its tickets upon a successful domain join. Additionally AFAIK tickets are refreshed by winbind automatically so you really never need to run kinit or set up krb5.conf if you use samba to join the AD as a domain member server. Could someone please clarify this so I can make this myth go away? Could I be wrong? Is there a special circumstance where this applies that i dont know about? Some magic non default active directory configuration that insists kerberos be set up differently than samba can muster to do automatically?? Thanks! -Clayton
Robert LeBlanc
2009-Oct-15 03:54 UTC
[Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?
I beleive that if you are using msDNS in some fashion (as your DNS or delegated domain) or have something like Bind updated with the SVR records for the AD domain, then there is little configuration needed in krb5.conf as the libraries will query DNS for a KDC. If your DNS is not set-up with the SVR records then you will need to enter the domain and KDC information in krb5.conf. We have a delegated AD domain from Bind and I used to enter all the info in krb5.conf, I then started taking stuff out until I got to an empty krb5.conf file and it still worked. Our krb5.conf does have a few lines for options that we override the defaults, but they are not needed. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Wed, Oct 14, 2009 at 5:03 PM, <admin at ateamonsite.com> wrote:> Hi folks, > > In a scenerio where you are just joining samba to an existing windows 2003 > AD as a member server, I have been told that in some unknown/unsubscribed > conditions you need to manually need to set up kerberos and use kinit > before joining the active directory with net ads join. > > I think this is untrue personally because from what I understand about > samba joining a domain, is that samba/winbind/net ads join command > automatically uses kerberos libraries to autogenerate its tickets upon a > successful domain join. > Additionally AFAIK tickets are refreshed by winbind automatically so you > really never need to run kinit or set up krb5.conf if you use samba to join > the AD as a domain member server. > > Could someone please clarify this so I can make this myth go away? Could I > be wrong? Is there a special circumstance where this applies that i dont > know about? Some magic non default active directory configuration that > insists kerberos be set up differently than samba can muster to do > automatically?? > > > Thanks! > -Clayton > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Matthew J. Salerno
2009-Oct-15 14:29 UTC
[Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?
? ----- Original Message ---- From: Robert LeBlanc <robert at leblancnet.us> To: admin at ateamonsite.com Cc: samba at lists.samba.org Sent: Wed, October 14, 2009 11:54:11 PM Subject: Re: [Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member? I beleive that if you are using msDNS in some fashion (as your DNS or delegated domain) or have something like Bind updated with the SVR records for the AD domain, then there is little configuration needed in krb5.conf as the libraries will query DNS for a KDC. If your DNS is not set-up with the SVR records then you will need to enter the domain and KDC information in krb5.conf. We have a delegated AD domain from Bind and I used to enter all the info in krb5.conf, I then started taking stuff out until I got to an empty krb5.conf file and it still worked. Our krb5.conf does have a few lines for options that we override the defaults, but they are not needed. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Wed, Oct 14, 2009 at 5:03 PM, <admin at ateamonsite.com> wrote:> Hi folks, > > In a scenerio where you are just joining samba to an existing windows 2003 > AD as a member server, I have been told that in some unknown/unsubscribed > conditions you need to manually need to set up kerberos and use kinit > before joining the active directory with net ads join. > > I think this is untrue personally because from what I understand about > samba joining a domain, is that samba/winbind/net ads join command > automatically uses kerberos libraries to autogenerate its tickets upon a > successful domain join. > Additionally AFAIK tickets are refreshed by winbind automatically so you > really never need to run kinit or set up krb5.conf if you use samba to join > the AD as a domain member server. > > Could someone please clarify this so I can make this myth go away? Could I > be wrong? Is there a special circumstance where this applies that i dont > know about? Some magic non default active directory configuration that > insists kerberos be set up differently than samba can muster to do > automatically?? > > > Thanks! > -Clayton > > -- > To unsubscribe from this list go to the following URL and read the > instructions:? https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba I found out that in order for the idmap_ad to be able to pull in the rfc2307 attributes, you need to have the krb5,conf setup.? Auth was working fine, but without the krb5.conf, that was all that was working. http://lists.samba.org/archive/samba/2009-October/151144.html