[Samba] Kerberos5 ticket renewal & 'net ads join' w/o authentication
Philipoff, Andrew
aphilipoff at medicine.ucsf.edu
Thu Oct 28 17:58:12 MDT 2010
> Hello,
>
> I have two issues with Kerberos administration using Samba and this results
> from my lack of familiarity with it. I am hoping someone can point me in the
> right direction.
>
> The first issue is with automatically renewing the Kerberos tickets. The
> second issue deals with my having to authenticate each time I attempt to join
> an AD domain. The Samba documentation indicates that I should *not* have
> to authenticate when holding a valid Kerberos ticket. When I join an AD
> domain using administrator credentials, I can basically administer a Samba
> server well. 'getent passwd' and 'getent group' works as expected.
>
> I'm running FreeBSD 8.1 using Samba 3.4.9 and using the base Heimdal.
> The AD domain is a W2K3 domain in mixed mode.
>
> I basically used the information from this link listed below to build the
> configuration files listed below:
>
> http://wiki.samba.org/index.php/Samba_%26_Active_Directory
>
> I also looked at several other sources such as :
>
> http://www.freebsd.org/doc/handbook/kerberos5.html
>
> The bottom line is that I'd like to receive a Kerberos ticket using proper
> authentication and use it to execute the 'net ads join' command without
> authenication and then continue to renew the ticket automatically.
>
> Now, what changes do I need to do in order to 1) automatically renew
> Kerberos tickets and 2) be able to execute the 'net ads join' command
> without supplying a password?
>
> Any pointers/assistance would be greatly appreciated! If I've left out
> relevant information, please don't hesitate to let me know.
>
> ~Doug
Doug,
To address the Kerberos ticket issue, on my RHEL 5.5 servers, I enabled "use Kerberos keytab" in my smb.conf:
1. Edit your smb.conf, add "use kerberos keytab = YES"
Run testparm
Restart Samba
2. Create a kerberos keytab in the location is defined in your krb5.conf file. Mine has "default_keytab_name = FILE:/etc/krb5.keytab" in the [libdefaults] section :
net ads keytab create
3. Verify the contents of the Kerberos keytab file:
klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/server1.domain.forest.org @ DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
3 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
3 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
3 host/SERVER1 at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
3 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
3 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
3 SERVER1$@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
4 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
4 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
4 host/SERVER1 at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
4 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
4 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5)
4 SERVER1$@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)
However I do not know how to enable the execution the 'net ads join' command without supplying a password.
Regards,
Andrew Philipoff
Infrastructure Coordinator
UCSF Department of Medicine - IT Services
More information about the samba
mailing list