[Samba] "net ads join" Kerberos credentials only after "kinit"?

Axel Suppantschitsch as at suit.at
Thu Oct 2 11:23:03 GMT 2003


You might be right, but the use of "kinit" is only mentioned for testing
purposes, but not as an essential part of the implementation...

My process generates following credentials:

[root at samba30srv root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at SAMBA30.TEST

Valid starting     Expires            Service principal
10/01/03 14:24:47  10/02/03 00:25:36  krbtgt/SAMBA30.TEST at SAMBA30.TEST
        renew until 10/02/03 14:24:47
10/01/03 14:25:57  10/02/03 00:25:36  win2003srv$@SAMBA30.TEST
        renew until 10/02/03 14:24:47
10/01/03 14:25:57  10/01/03 14:27:57  kadmin/changepw at SAMBA30.TEST
        renew until 10/01/03 14:27:57


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at samba30srv root]#

Your process generates following credentials:

[root at samba30srv root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at SAMBA30.TEST

Valid starting     Expires            Service principal
10/02/03 13:16:21  10/02/03 23:17:10  krbtgt/SAMBA30.TEST at SAMBA30.TEST
        renew until 10/03/03 13:16:21


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at samba30srv root]#

Any suggestions?

Regards, Axel.

Quoting Andrew Smith-MAGAZINES <andrew.smith.06 at bbc.co.uk>:

> The purpose of "net ads join -U Administrator%password" (password is
> required) is not to obtain a Kerberos ticket but to create a computer account
> in the AD thereby setting up the trust required for other clients to
> authenticate to the Samba server with an AD Kerberos TGT. Use kinit from any
> client system, after doing the net ads join on the Samba server, to get your
> TGT and I think you'll find everything works as intended,
> 
> thanks Andy.
> 
> -----Original Message-----
> From: Axel Suppantschitsch [mailto:as at suit.at]
> Sent: 02 October 2003 10:29
> To: samba at samba.org
> Subject: [Samba] "net ads join" Kerberos credentials only after "kinit"?
> 
> 
> According to the latest version of the Samba Documentation there are three
> major
> steps to add a samba server as member server to an ADS:
> 
> 1.) Configure samba correctly to use ADS (smb.conf).
> 2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf).
> 3.) Join the samba server with "net ads join -U Administrator".
> 
> Well, all this sounds good, but it definetly doesn't work, you won't have
> any
> kerberos tickets in your credentials cache after this process. So either
> the
> samba documentation is incomplete, or there is a bug in samba.
> 
> Anyway, it seems that I found a workable solution:
> 
> I use Samba 3.0.0 release.
> I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal).
> I tested this with Windows 2000 and Windows 2003 Servers. It worked on both.
> 
> 
> 1.) Do a "kinit Administrator at EXAMPLE.COM". This will get you initial
> kerberos
> credentials. It is essential to get credentials _BEFORE_ step #2!
> 2.) Do a "net ads join". This will use your kerberos credentials from step
> #1
> and add the samba server to your ADS domain without the need to specify a
> username or a password.
> 3.) Do a "klist" and you will see three different tickets in your kerberos
> credentials cache.
> 4.) Do a "smbclient -k \\windowsserver\share" and it should connect you
> without
> enterning username and password.
> 
> At this point I ask you guys, whether this is a bug or a feature:
> 
> 1.)If it is a feature the samba documentation needs to be changed in order
> to
> require valid Administrator kerberos credentials _BEFORE_ doing a "net ads
> join". This needs to be explicitely mentioned!
> 
> 2.)If it is a bug, you know what you have to do... ;)
> 
> Hope this helps all the guys out there struggeling with the same problem
> and
> asking me for help... ;)
> 
> Regards, Axel. 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> BBCi at http://www.bbc.co.uk/
> 
> This e-mail (and any attachments) is confidential and may contain personal
> views which are not the views of the BBC unless specifically
> stated.
> If you have received it in error, please delete it from your system. Do not
> use, copy or disclose the information in any way nor act in
> reliance on it and notify the sender immediately. Please note that the BBC
> monitors e-mails sent or received.
> Further communication will signify your consent to this.
> 



More information about the samba mailing list