Hello, Maybe this is an FAQ but I have not really found a clear answer on the web... I have an already functional kerberos domain. I want to add a samba4 ad dc that use this existing domain. Is there anyway to make this setup work ? What I have tried : - I have added the administrator at EXAMPLE.COM in my kdc - In my samba server I have setup the krb5.conf so that I can do a kinit administrator that works - in the samba dns I have changed all the srv and server names concerning kerberos to the external kerberos server - in the smb.conf I have removed the kdc as server services What seems to work : when I do a samba-tool dns zoneinfo localhost example.com if ask me for DOMAIN\root password... Well... If I first do a kinit administrator at EXAMPLE.COM and than the samba-tool command it asks me the administrator at EXAMPLE.COM password and that works correctly But I wonder why the samba--tool keeps asking me for the password as the klist gives me a valid krbtgt/EXAMPLE.COM at EXAMPLE.COM Or maybe I'm totally wrong ? Maybe I don't do the correct testing ? Does somebody has some info ? Or link ? Thanks in advance. f.g. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.samba.org/pipermail/samba/attachments/20140702/90f49769/attachment.pgp>
On Wed, 2014-07-02 at 10:52 +0200, Fr?d?ric Goudal wrote:> Hello, > > Maybe this is an FAQ but I have not really found a clear answer on the web... > I have an already functional kerberos domain. > I want to add a samba4 ad dc that use this existing domain. > Is there anyway to make this setup work ?No. The only option would be to migrate that domain into Samba. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba