[Samba] Kerberos5 ticket renewal & 'net ads join' w/o authentication

Doug Sampson dougs at dawnsign.com
Tue Nov 2 14:03:27 MDT 2010 

> To address the Kerberos ticket issue, on my RHEL 5.5 servers, I
> enabled "use Kerberos keytab" in my smb.conf:
> 
> 1. Edit your smb.conf, add "use kerberos keytab = YES"
> Run testparm
> Restart Samba
> 
> 2. Create a kerberos keytab in the location is defined in your
> krb5.conf file. Mine has "default_keytab_name =
> FILE:/etc/krb5.keytab" in the [libdefaults] section :
> net ads keytab create
> 
> 3. Verify the contents of the Kerberos keytab file:
> klist -ke
> 
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- ------------------------------------------------------------
> --------------
> 3 host/server1.domain.forest.org @ DOMAIN.FOREST.ORG (DES cbc
> mode with CRC-32)
> 3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (DES cbc mode
> with RSA-MD5)
> 3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (ArcFour with
> HMAC/md5)
> 3 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
> 3 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
> 3 host/SERVER1 at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
> 3 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
> 3 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
> 3 SERVER1$@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
> 4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (DES cbc mode
> with CRC-32)
> 4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (DES cbc mode
> with RSA-MD5)
> 4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (ArcFour with
> HMAC/md5)
> 4 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
> 4 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
> 4 host/SERVER1 at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
> 4 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
> 4 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
> 4 SERVER1$@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
> 
> However I do not know how to enable the execution the 'net ads
> join' command without supplying a password.
> 

I tried your method and, while there are minor variations in how the
'net ads keytab' commands are used between FreeBSD and RHEL, I wasn't
able to join the domain without supplying a password. I see various
references throughout the Internet where quite a number of FreeBSD users
are supplying passwords when performing a 'net ads join' command.

I will keep an eye open for any other working methods.

~Doug

More information about the samba mailing list