Hello, I have these questions regarding samba running in ads mode such that users are authenticated against active directory: 1. What is the role of 'kinit'? 2. How often must 'kinit user at domain.local' be run? 3. What are the consequences of an expired or non-existant klist? 4. Why does "kinit 'DOMAIN\user'" fail but "kinit user at DOMAIN.LOCAL" succeed? 5. With kinit, must I use uppercase characters when specifying DOMAIN or DOMAIN.LOCAL? 6. When calling kinit, must user at domain.local be a domain admin? 7. What is the role of 'net ads join -U user at domain'? 8. How often must "net ads join -U user at domain" be run? 9. What are the consequences of running samba/ads on a machine that has not been joined to the domain? 10. When calling "net ads join", must user at domain be a domain admin? 11. How do I go about discovering root cause for this error: [root at myhost ~]# net ads join -U foo at DOMAIN.LOCAL Enter csa at DOMAIN.LOCAL's password: ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory Using short domain name -- DOMAIN Joined 'MYHOST' to dns domain 'domain.local' DNS update failed: NT_STATUS_INVALID_PARAMETER == My guesses: A1: To create a kerberos ticket (which prompts Q3) A7: To join a computer to the domain (which prompts Q9) A8: Only once -- the result is saved in a file called secrets.tdb == Thank you, Chris
On 25/04/16 21:38, Chris Stankevitz wrote:> Hello, > > I have these questions regarding samba running in ads mode such that > users are authenticated against active directory: > > 1. What is the role of 'kinit'?Basically to create a kerberos ticket for a user> > 2. How often must 'kinit user at domain.local' be run?If you take my advice, never, you shouldn't be using a .local domain. You may however run 'kinit user at DOMAIN.TLD' to ensure there is a kerberos ticket before doing something that requires authentication.> > 3. What are the consequences of an expired or non-existant klist?You cannot do, whatever it was you tried to do, if it required authentication.> > 4. Why does "kinit 'DOMAIN\user'" fail but "kinit user at DOMAIN.LOCAL" succeed?Because the first is a username and the second is a UPN (user principal name)> > 5. With kinit, must I use uppercase characters when specifying DOMAIN > or DOMAIN.LOCAL?Uppercase> 6. When calling kinit, must user at domain.local be a domain admin?No, all users can get a ticket> > 7. What is the role of 'net ads join -U user at domain'?It is used to join a Unix computer to a domain.> > 8. How often must "net ads join -U user at domain" be run?Whenever you want to join a Unix computer to a domain.> 9. What are the consequences of running samba/ads on a machine that > has not been joined to the domain?About the same as running windows on a computer that isn't joined to the domain.> > 10. When calling "net ads join", must user at domain be a domain admin?No, a normal user can join as long as they have the 'SeMachineAccountPrivilege'> > 11. How do I go about discovering root cause for this error: > > [root at myhost ~]# net ads join -U foo at DOMAIN.LOCAL > Enter csa at DOMAIN.LOCAL's password: > ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory > Using short domain name -- DOMAIN > Joined 'MYHOST' to dns domain 'domain.local' > DNS update failed: NT_STATUS_INVALID_PARAMETER > > > ==Find out why you do not have /usr/lib64/samba/ldb Rowland> My guesses: > > A1: To create a kerberos ticket (which prompts Q3) > > A7: To join a computer to the domain (which prompts Q9) > > A8: Only once -- the result is saved in a file called secrets.tdb > > ==> > Thank you, > > Chris >
Just to expand on a couple of Rowland's answers... On Tue, 26 Apr 2016, Rowland penny wrote:> On 25/04/16 21:38, Chris Stankevitz wrote: >> >> 2. How often must 'kinit user at domain.local' be run? > > If you take my advice, never, you shouldn't be using a .local domain. > You may however run 'kinit user at DOMAIN.TLD' to ensure there is a kerberos > ticket before doing something that requires authentication.>> 5. With kinit, must I use uppercase characters when specifying DOMAIN >> or DOMAIN.LOCAL? > > UppercaseThe reason it's uppercase is because you are specifying the kerberos realm, not the domain. Domain names are lowercase, but realms are uppercase. The two are usually the same, other than case. Note that if your /etc/krb5.conf is configured with your realm as the default_realm, you don't need to specify @REALM at all, the 'kinit user' alone will do.>> 8. How often must "net ads join -U user at domain" be run? > > Whenever you want to join a Unix computer to a domain.Normally, this is only once, as you correctly guessed.>> 10. When calling "net ads join", must user at domain be a domain admin? > > No, a normal user can join as long as they have the > 'SeMachineAccountPrivilege'Note that only domain admins have this privilege by default.
Rowland, Thank you. I read the Oreilly book chapter 10, but I am still unclear on the requirements. If you have an idea for another book/man to read, please let me know and I will read. On Mon, Apr 25, 2016 at 11:48 PM, Rowland penny <rpenny at samba.org> wrote:> You may however run 'kinit user at DOMAIN.TLD' to ensure there is a kerberos > ticket before doing something that requires authentication.Please consider this use case: $ grep -e security -e username\ map /etc/samba/smb.conf username map = /etc/samba/DomainToLocalMapping.txt security = ads $ grep cstankevitz /etc/samba/DomainToLocalMapping.txt cstankevitz = DOMAIN.TLD\cstankevitz DOMAIN\cstankevitz A linux client connects to the samba server and specifies a username of "DOMAIN\cstankevitz" and a password that matches the password stored on a Microsoft Windows AD Server. 12. Does the use case above require someone to run kinit on the samba server before the client attempts a connection? If yes: 12a. Will the ticket supplied by kinit expire? 12b. Does kinit need to be run periodically? e.g. when the ticket expires or when the computer reboots? 12c. Which username should I provide to kinit for this use case? Should it have any particular privilege? 12d. If kinit has not been properly run, what specifically will fail and what specifically will be shown in a verbose samba log?>> 9. What are the consequences of running samba/ads on a machine that >> has not been joined to the domain? > > > About the same as running windows on a computer that isn't joined to the > domain.13. Does my use case above require the samba computer to be joined to the windows domain? If yes: 13a. If the samba computer has not been joined to the domain, what specifically will fail and what specifically will be shown in a verbose samba log?> Find out why you do not have /usr/lib64/samba/ldbThank you. I'm embarrassed that I didn't see that. Thank you again, Chris