Hello, I have quite some experiance integration Linux Machines into AD (mostly the M$ one up to now). But now I have a Samba AD DC, which works fine so far. If I understand this correctly, the server itself does not need to be "part" of the domain itself as far as user administration is concerned, right? For using nss-ldapd I would need a valid /etc/krb5.keytab instead of the samba4 integrated database for kerberos principals. Can I do the following: 1. run "samba-tool domain exportkeytab /etc/krb5.keytab" 2. stop samba: /etc/init.d/samba stop 3. add "kerberos method = system keytab" to /etc/samba/smb.conf 4. start samba: /etc/init.d/samba start If so will users and computers added in futuere end up in /etc/krb5.keytab as expected? Furthermore, which tool can I use to duplicate the "MACHINE$@REALM" prinzipal of my DC to the Unix style name style host/machine at REALM? Regards Sven -- The main thing to note is that when you choose open source you don't get a Windows operating system. (from http://www.dell.com/ubuntu) /me is giggls at ircnet, http://sven.gegg.us/ on the Web
Rowland Penny
2014-Mar-12 16:12 UTC
[Samba] AD-Integration of Samba4 AD DC machine itself?
On 12/03/14 15:34, Sven Geggus wrote:> Hello, > > I have quite some experiance integration Linux Machines into AD > (mostly the M$ one up to now). > > But now I have a Samba AD DC, which works fine so far. > > If I understand this correctly, the server itself does not need to be "part" > of the domain itself as far as user administration is concerned, right?Wrong, if you look carefully when you provision the domain, you will see that the server gets joined to the domain, the users then become part of the domain, just like a windows domain.> > For using nss-ldapd I would need a valid /etc/krb5.keytab instead of the > samba4 integrated database for kerberos principals. > > Can I do the following: > > 1. run "samba-tool domain exportkeytab /etc/krb5.keytab"Yes> 2. stop samba: /etc/init.d/samba stopIf this is what starts and stops your samba4 server, then yes> 3. add "kerberos method = system keytab" to /etc/samba/smb.confWhy???> 4. start samba: /etc/init.d/samba startYes> > If so will users and computers added in futuere end up in /etc/krb5.keytab > as expected?Should do, they do on my server.> > Furthermore, which tool can I use to duplicate the "MACHINE$@REALM" > prinzipal of my DC to the Unix style name style host/machine at REALM?Again, why?, do you do this with a windows AD server? Could you please explain what you are trying do and what you expect to happen. Rowland> > Regards > > Sven >