Thomas Schweikle
2019-Oct-16 16:24 UTC
[Samba] Can't setup kerberos auth for samba4 server?
It is not a member server it's the PDC. And after configuring /etc/krb5.conf you'll be able to # kinit Administrator Passwort f?r Administrator at ADA.DE: Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET ablaufen. And now: # net ads join -k Host is not configured as a member server. Invalid configuration. Exiting.... Failed to join domain: This operation is only allowed for the PDC of the domain. But to authenticate on this PDC against the running samba I need some way to have /etc/krb5.keytab created ... some Howto this would be done would be nice! On Wed, Oct 16, 2019 at 11:39 AM L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> If this is a member server. > > Just install minimal debian server + ssh. > Point dns (resolv.conf) to AD-DC. > search ada.de > nameserver IP_AD_DC > > Now apt-get install samba winbind acl attr krb5-user > Keep all default, you dont need to change anything.. > > After the install off all packages. > > systemctl stop smbd winbind (optional nmbd) > (optional : systemctl disable nmbd) > > Setup the correct smb.conf for a member server > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > kinit Administrator > net ads join -k > > systemctl enable smbd winbind (optional nmbd) > systemctl start smbd winbind (optional nmbd) > > Enjoy, its that simple.. > > Greetz, > > Louis > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Thomas Schweikle via samba > > Verzonden: woensdag 16 oktober 2019 10:57 > > Aan: Samba > > Onderwerp: [Samba] Can't setup kerberos auth for samba4 server? > > > > Hi! > > > > Setup: Debian, Samba 4.11 > > > > After successfully setting up samba4, I want this machine to > > authenticate > > against the running samba4-server. I've created /etc/krb5.conf: > > > > [libdefaults] > > default_realm = ADA.DE <http://ada.de/> > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > > > fcc-mit-ticketflags = true > > > > [realms] > > ADA.DE <http://ada.de/> = { > > kdc = ad01.ada.de > > kdc = ad02.ada.de > > admin_server = ad01.ada.de > > chpasswd_server = ad01.ada.de > > default_domain = ada.de > > } > > > > [domain_realm] > > .ada.de = ADA.DE <http://ada.de/> > > ada.de = ADA.DE <http://ada.de/> > > > > > > kinit works: > > # kinit Administrator > > Passwort f?r Administrator at ADA.DE: > > Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET > > ablaufen. > > #klist > > Ticketzwischenspeicher: FILE:/tmp/krb5cc_0 > > Standard-Principal: Administrator at ADA.DE > > > > Valid starting Expires Service principal > > 16.10.2019 10:22:13 16.10.2019 20:22:13 krbtgt/ADA.DE at ADA.DE > > erneuern bis 17.10.2019 10:22:08 > > > > But: > > # net ads join -k > > Host is not configured as a member server. > > Invalid configuration. Exiting.... > > Failed to join domain: This operation is only allowed for the > > PDC of the > > domain. > > > > It is quite true this host is not configured as a member > > server -- it is > > the PDC! So what do I have to do to make this host use the > > running samba4 > > to authenticate users? sssd fails because it cant find > > /etc/krb5.keytab. > > > > /etc/sssd/sssd.conf is set to: > > [sssd] > > services = nss, pam, autofs > > domains = ADA.DE <http://ada.de/> > > debug_level = 0x0270 > > > > [domain/ADA.DE <http://ada.de/>] > > enumerate = true > > cache_credentials = True > > krb5_realm = ADA.DE <http://ada.de/> > > ldap_search_base = dc=ada,dc=de > > krb5_server = ad01.ada.de, ad02.ada.de > > id_provider = ad > > auth_provider = ad > > ldap_uri = ldap://ad01.ada.de:389/, ldap://ad02.ada.de:389/ > > ldap_id_use_start_tls = True > > ldap_tls_cacertdir = /etc/openldap/cacerts > > debug_level = 0x0270 > > > > [nss] > > homedir_substring = /home > > debug_level = 0x0270 > > > > [pam] > > debug_level = 0x0270 > > > > [sudo] > > debug_level = 0x0270 > > > > [autofs] > > debug_level = 0x0270 > > > > [ssh] > > debug_level = 0x0270 > > > > [pac] > > debug_level = 0x0270 > > > > [ifp] > > debug_level = 0x0270 > > > > [secrets] > > debug_level = 0x0270 > > > > [session_recording] > > debug_level = 0x0270 > > > > Any hint, link, Howto would be great help! > > > > -- > > Thomas > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Thomas
On 16/10/2019 17:24, Thomas Schweikle via samba wrote:> It is not a member server it's the PDC.It is NOT a PDC, that is an NT4-style domain controller, you seem to be talking about an AD DC with the PDC Emulator FSMO role.> And after configuring > /etc/krb5.conf you'll be able to > # kinit Administrator > Passwort f?r Administrator at ADA.DE: > Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET > ablaufen.Your /etc/krb5.conf needs to contain only this: [libdefaults] ??? default_realm = ADA.DE ??? dns_lookup_realm = false ??? dns_lookup_kdc = true> > And now: > # net ads join -kNO, not on an AD DC, you cannot join it to the domain, it is already joined> Host is not configured as a member server. > Invalid configuration. Exiting.... > Failed to join domain: This operation is only allowed for the PDC of the > domain. > > But to authenticate on this PDCThis is not a PDC> against the running samba I need some way > to have /etc/krb5.keytab created ... some Howto this would be done would be > nice! >Why didn't you say that in the first place ;-) samba-tool domain exportkeytab /etc/krb5.keytab Now you know how to create the keytab, why do you need it ? Rowland
Thomas Schweikle
2019-Oct-21 14:26 UTC
[Samba] Can't setup kerberos auth for samba4 server?
On Wed, Oct 16, 2019 at 6:36 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 16/10/2019 17:24, Thomas Schweikle via samba wrote: > > It is not a member server it's the PDC. > It is NOT a PDC, that is an NT4-style domain controller, you seem to be > talking about an AD DC with the PDC Emulator FSMO role. > > And after configuring > > /etc/krb5.conf you'll be able to > > # kinit Administrator > > Passwort f?r Administrator at ADA.DE: > > Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET > > ablaufen. > > Your /etc/krb5.conf needs to contain only this: > > [libdefaults] > default_realm = ADA.DE > dns_lookup_realm = false > dns_lookup_kdc = true > > > > > And now: > > # net ads join -k > NO, not on an AD DC, you cannot join it to the domain, it is already joined > > Host is not configured as a member server. > > Invalid configuration. Exiting.... > > Failed to join domain: This operation is only allowed for the PDC of the > > domain. > > > > But to authenticate on this PDC > This is not a PDC > > against the running samba I need some way > > to have /etc/krb5.keytab created ... some Howto this would be done would > be > > nice! > > > Why didn't you say that in the first place ;-) > > samba-tool domain exportkeytab /etc/krb5.keytab > > Now you know how to create the keytab, why do you need it >I want this server them self to authenticate against samba. I do not want to have the user base more than once. sssd seems to need a working /etc/krb5.keytab.> Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Thomas