> Hello, > > I have two issues with Kerberos administration using Samba and this results > from my lack of familiarity with it. I am hoping someone can point me in the > right direction. > > The first issue is with automatically renewing the Kerberos tickets. The > second issue deals with my having to authenticate each time I attempt to join > an AD domain. The Samba documentation indicates that I should *not* have > to authenticate when holding a valid Kerberos ticket. When I join an AD > domain using administrator credentials, I can basically administer a Samba > server well. 'getent passwd' and 'getent group' works as expected. > > I'm running FreeBSD 8.1 using Samba 3.4.9 and using the base Heimdal. > The AD domain is a W2K3 domain in mixed mode. > > I basically used the information from this link listed below to build the > configuration files listed below: > > http://wiki.samba.org/index.php/Samba_%26_Active_Directory > > I also looked at several other sources such as : > > http://www.freebsd.org/doc/handbook/kerberos5.html > > The bottom line is that I'd like to receive a Kerberos ticket using proper > authentication and use it to execute the 'net ads join' command without > authenication and then continue to renew the ticket automatically. > > Now, what changes do I need to do in order to 1) automatically renew > Kerberos tickets and 2) be able to execute the 'net ads join' command > without supplying a password? > > Any pointers/assistance would be greatly appreciated! If I've left out > relevant information, please don't hesitate to let me know. > > ~Doug
Doug, To address the Kerberos ticket issue, on my RHEL 5.5 servers, I enabled "use Kerberos keytab" in my smb.conf: 1. Edit your smb.conf, add "use kerberos keytab = YES" Run testparm Restart Samba 2. Create a kerberos keytab in the location is defined in your krb5.conf file. Mine has "default_keytab_name = FILE:/etc/krb5.keytab" in the [libdefaults] section : net ads keytab create 3. Verify the contents of the Kerberos keytab file: klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/server1.domain.forest.org @ DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 3 host/[email protected] (DES cbc mode with CRC-32) 3 host/[email protected] (DES cbc mode with RSA-MD5) 3 host/[email protected] (ArcFour with HMAC/md5) 3 [email protected] (DES cbc mode with CRC-32) 3 [email protected] (DES cbc mode with RSA-MD5) 3 [email protected] (ArcFour with HMAC/md5) 4 host/[email protected] (DES cbc mode with CRC-32) 4 host/[email protected] (DES cbc mode with RSA-MD5) 4 host/[email protected] (ArcFour with HMAC/md5) 4 host/[email protected] (DES cbc mode with CRC-32) 4 host/[email protected] (DES cbc mode with RSA-MD5) 4 host/[email protected] (ArcFour with HMAC/md5) 4 [email protected] (DES cbc mode with CRC-32) 4 [email protected] (DES cbc mode with RSA-MD5) 4 [email protected] (ArcFour with HMAC/md5) However I do not know how to enable the execution the 'net ads join' command without supplying a password. Regards, Andrew Philipoff Infrastructure Coordinator UCSF Department of Medicine - IT Services -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
