On Tue, 2003-09-30 at 21:41, Andrew Smith-MAGAZINES wrote: > Hi All, > > anyone else found that adding a Samba server to an AD domain > appears to be incompatible with using an AD Kerberos realm to > provide other Kerberised services such as NFS from the same > UNIX host? > Problem I have is that when you join an AD domain thorough > Samba 3.x net command this creates a computer account in the > AD to which the administrator does not know the account password. > If you following MS guidelines for configuring other UNIX > Kerberised services to authenticate against a Windows Kerberos > realm (AD domain) you are instructed to use a user account not > a computer account because to generate a keytab file for your > Kerberised service you must know the password for the Kerberos/AD > account. > As you cannot have an AD computer account with the same name as > an AD user account it would seem to me that using Kerberised > Samba is mutually exclusive with providing generic Kerberised > UNIX services from a single UNIX machine. Surely this will cause > many people problems if this is the case, have I missed something?
This issue is intended to be addressed - but you can find out the (current) machine account password - just read the plaintext out of the secrets.tdb (root-only access, naturally). Either tdbtool, or a simple 'less' should show it. I think there may even have been some patches flying about to fix this, but I'm not sure... Feel free to file a bug (if there is not one already present) into bugzilla.samba.org Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
