Re: [Samba] SAMBA Kerberos misunderstanding

Wed, 21 Feb 2007 02:10:49 -0800 

Hi Bradley,
I've not followed the whole thread so there might be some information I missed. But if you are running an AD with a Samba Member Server trying to use mod_auth_kerb you only have to create a kerberos service key on Windows side, secure copy this onto your webserver, add the key to a maybe already existing keytab with "ktutil" and test the key with a 

  kinit -k HTTP/[EMAIL PROTECTED]

or

  kinit -k -t /path/to/keytab HTTP/[EMAIL PROTECTED]


This should give you a ticket without prompting for a password. Then 
install the mod_auth_kerb module, add some auth lines into your apache 
configuration or a .htaccess. This should be also described on the 
mod_auth_kerb website.


Hope that helps

Bradley Schatz wrote:

Hi Mark,

For some background, I am actually trying to set up a http kerberos service
so that I can use mod_auth_krb in apache2.

Would net ads join createupn=http/foundry.example.local do the trick?

I am on 3.0.22, which does not support this syntax. Any work-arounds?

thanks,

Bradley



On 2/21/07, Mark Proehl <[EMAIL PROTECTED]> wrote:


Hi,

try

  net ads join createupn=host/foundry.example.local

- Mark

On Tue, Feb 20, 2007 at 05:57:47PM +1000, Bradley Schatz wrote:
> I suspect I might be grossly misunderstanding kerberos and AD here, but
I
> cant seem to grok the following.
>

> net ads join integrates my linux samba server (named foundry) into 
an AD

> domain and all works fine. The samba server is using the kerberos
keytab.
>
> [EMAIL PROTECTED]:~ # kinit -k -t /etc/krb5.keytab foundry$

> [EMAIL PROTECTED]:~ # kinit -k -t /etc/krb5.keytab 
host/foundry.example.local

> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
> Why can't kinit find the service host/foundry.example.local in the AD
> Kerberos database? It seems to be in the local linux server keylist:
>
> [EMAIL PROTECTED]:~ # klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
>

-------------------------------------------------------------------------- 


>   2 host/[EMAIL PROTECTED]
>   2 host/[EMAIL PROTECTED]
> .... cut ...
>
> What am I missing here?
>
> Thanks,
>
> Bradley
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to