On Tue, 2021-05-11 at 21:02 -0400, Ron Murray via samba wrote:> I've been running Samba at home now for at least 20 years. With the > discovery that Windows 10 won't do NT4 networks, I figured that I > might > as well upgrade to AD, since Samba can now be an AD domain > controller. > > I've been running (MIT) Kerberos for almost that long as well (it's > handy for authenticating to servers), and at first I was discouraged > by > Samba's insistence on Heimdal Kerberos. Eventually, I switched, and > got > that (mostly) working. > > Then I started to install Samba AD, and discovered that Samba seems > to > have an inbuilt KDC. Is this correct? Should I be running Samba's > inbuilt Kerberos instead? I can't find anything in the documentation > mentioning using a pre-existing Kerberos.Yes, the reason we don't have anything about using a pre-existing Kerberos is that it isn't possible. We need to provide the backend DB to the KDC, so that it matches all the other protocols and includes the PAC etc.> Anyway, I limped along, installed as best I could, disabled Samba's > kdc > in smb.conf, but my heimdal-kdc .log keeps giving errors like > > Looking for ENC-TS pa-data -- COMPUTER$@EXAMPLE.COM > > where "COMPUTER" is my KDC/AD controller. > > Perhaps I missed something in the instructions, because there's > obviously no such entry in my Kerberos database. Is this because I > should be using Samba's KDC, or is it something else?Yes, you need Samba's KDC. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Ah. I thought that might be it. Thanks.? You might consider adding a note to the documentation to that effect. ?.....Ron On Wed, 2021-05-12 at 13:14 +1200, Andrew Bartlett wrote:> On Tue, 2021-05-11 at 21:02 -0400, Ron Murray via samba wrote: > > I've been running Samba at home now for at least 20 years. With the > > discovery that Windows 10 won't do NT4 networks, I figured that I > > might > > as well upgrade to AD, since Samba can now be an AD domain > > controller. > > > > I've been running (MIT) Kerberos for almost that long as well (it's > > handy for authenticating to servers), and at first I was > > discouraged > > by > > Samba's insistence on Heimdal Kerberos. Eventually, I switched, and > > got > > that (mostly) working. > > > > Then I started to install Samba AD, and discovered that Samba seems > > to > > have an inbuilt KDC. Is this correct? Should I be running Samba's > > inbuilt Kerberos instead? I can't find anything in the > > documentation > > mentioning using a pre-existing Kerberos. > > Yes, the reason we don't have anything about using a pre-existing > Kerberos is that it isn't possible.? We need to provide the backend > DB > to the KDC, so that it matches all the other protocols and includes > the > PAC etc. > > > Anyway, I limped along, installed as best I could, disabled Samba's > > kdc > > in smb.conf, but my heimdal-kdc .log keeps giving errors like > > > > Looking for ENC-TS pa-data -- COMPUTER$@EXAMPLE.COM > > > > where "COMPUTER" is my KDC/AD controller. > > > > Perhaps I missed something in the instructions, because there's > > obviously no such entry in my Kerberos database. Is this because I > > should be using Samba's KDC, or is it something else? > > Yes, you need Samba's KDC. > > Andrew Bartlett >-- Ron Murray <rjmx at rjmx.net> PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761