RE: [Samba] "net ads join" Kerberos credentials only after "kinit"?

2003-10-02 Thread Axel Suppantschitsch 
You might be right, but the use of "kinit" is only mentioned for testing
purposes, but not as an essential part of the implementation...

My process generates following credentials:

[EMAIL PROTECTED] root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]

Valid starting ExpiresService principal
10/01/03 14:24:47  10/02/03 00:25:36  krbtgt/[EMAIL PROTECTED]
renew until 10/02/03 14:24:47
10/01/03 14:25:57  10/02/03 00:25:36  [EMAIL PROTECTED]
renew until 10/02/03 14:24:47
10/01/03 14:25:57  10/01/03 14:27:57  kadmin/[EMAIL PROTECTED]
renew until 10/01/03 14:27:57


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[EMAIL PROTECTED] root]#

Your process generates following credentials:

[EMAIL PROTECTED] root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]

Valid starting ExpiresService principal
10/02/03 13:16:21  10/02/03 23:17:10  krbtgt/[EMAIL PROTECTED]
renew until 10/03/03 13:16:21


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[EMAIL PROTECTED] root]#

Any suggestions?

Regards, Axel.

Quoting Andrew Smith-MAGAZINES <[EMAIL PROTECTED]>:

> The purpose of "net ads join -U Administrator%password" (password is
> required) is not to obtain a Kerberos ticket but to create a computer account
> in the AD thereby setting up the trust required for other clients to
> authenticate to the Samba server with an AD Kerberos TGT. Use kinit from any
> client system, after doing the net ads join on the Samba server, to get your
> TGT and I think you'll find everything works as intended,
> 
> thanks Andy.
> 
> -Original Message-
> From: Axel Suppantschitsch [mailto:[EMAIL PROTECTED]
> Sent: 02 October 2003 10:29
> To: [EMAIL PROTECTED]
> Subject: [Samba] "net ads join" Kerberos credentials only after "kinit"?
> 
> 
> According to the latest version of the Samba Documentation there are three
> major
> steps to add a samba server as member server to an ADS:
> 
> 1.) Configure samba correctly to use ADS (smb.conf).
> 2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf).
> 3.) Join the samba server with "net ads join -U Administrator".
> 
> Well, all this sounds good, but it definetly doesn't work, you won't have
> any
> kerberos tickets in your credentials cache after this process. So either
> the
> samba documentation is incomplete, or there is a bug in samba.
> 
> Anyway, it seems that I found a workable solution:
> 
> I use Samba 3.0.0 release.
> I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal).
> I tested this with Windows 2000 and Windows 2003 Servers. It worked on both.
> 
> 
> 1.) Do a "kinit [EMAIL PROTECTED]". This will get you initial
> kerberos
> credentials. It is essential to get credentials _BEFORE_ step #2!
> 2.) Do a "net ads join". This will use your kerberos credentials from step
> #1
> and add the samba server to your ADS domain without the need to specify a
> username or a password.
> 3.) Do a "klist" and you will see three different tickets in your kerberos
> credentials cache.
> 4.) Do a "smbclient -k \\windowsserver\share" and it should connect you
> without
> enterning username and password.
> 
> At this point I ask you guys, whether this is a bug or a feature:
> 
> 1.)If it is a feature the samba documentation needs to be changed in order
> to
> require valid Administrator kerberos credentials _BEFORE_ doing a "net ads
> join". This needs to be explicitely mentioned!
> 
> 2.)If it is a bug, you know what you have to do... ;)
> 
> Hope this helps all the guys out there struggeling with the same problem
> and
> asking me for help... ;)
> 
> Regards, Axel. 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> BBCi at http://www.bbc.co.uk/
> 
> This e-mail (and any attachments) is confidential and may contain personal
> views which are not the views of the BBC unless specifically
> stated.
> If you have received it in error, please delete it from your system. Do not
> use, copy or disclose the information in any way nor act in
> reliance on it and notify the sender immediately. Please note that the BBC
> monitors e-mails sent or received.
> Further communication will signify your consent to this.
> 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] "net ads join" Kerberos credentials only after "kinit"?

2003-10-02 Thread Andrew Smith-MAGAZINES 
The purpose of "net ads join -U Administrator%password" (password is required) is not 
to obtain a Kerberos ticket but to create a computer account in the AD thereby setting 
up the trust required for other clients to authenticate to the Samba server with an AD 
Kerberos TGT. Use kinit from any client system, after doing the net ads join on the 
Samba server, to get your TGT and I think you'll find everything works as intended,

thanks Andy.

-Original Message-
From: Axel Suppantschitsch [mailto:[EMAIL PROTECTED]
Sent: 02 October 2003 10:29
To: [EMAIL PROTECTED]
Subject: [Samba] "net ads join" Kerberos credentials only after "kinit"?


According to the latest version of the Samba Documentation there are three
major
steps to add a samba server as member server to an ADS:

1.) Configure samba correctly to use ADS (smb.conf).
2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf).
3.) Join the samba server with "net ads join -U Administrator".

Well, all this sounds good, but it definetly doesn't work, you won't have any
kerberos tickets in your credentials cache after this process. So either the
samba documentation is incomplete, or there is a bug in samba.

Anyway, it seems that I found a workable solution:

I use Samba 3.0.0 release.
I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal).
I tested this with Windows 2000 and Windows 2003 Servers. It worked on both.

1.) Do a "kinit [EMAIL PROTECTED]". This will get you initial kerberos
credentials. It is essential to get credentials _BEFORE_ step #2!
2.) Do a "net ads join". This will use your kerberos credentials from step #1
and add the samba server to your ADS domain without the need to specify a
username or a password.
3.) Do a "klist" and you will see three different tickets in your kerberos
credentials cache.
4.) Do a "smbclient -k \\windowsserver\share" and it should connect you without
enterning username and password.

At this point I ask you guys, whether this is a bug or a feature:

1.)If it is a feature the samba documentation needs to be changed in order to
require valid Administrator kerberos credentials _BEFORE_ doing a "net ads
join". This needs to be explicitely mentioned!

2.)If it is a bug, you know what you have to do... ;)

Hope this helps all the guys out there struggeling with the same problem and
asking me for help... ;)

Regards, Axel.
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which 
are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use, copy 
or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors 
e-mails sent or received.
Further communication will signify your consent to this.
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba