[Samba] Can't setup kerberos auth for samba4 server?
Rowland penny
rpenny at samba.org
Wed Oct 16 09:23:30 UTC 2019
On 16/10/2019 09:56, Thomas Schweikle via samba wrote:
> Hi!
>
> Setup: Debian, Samba 4.11
>
> After successfully setting up samba4, I want this machine to authenticate
> against the running samba4-server. I've created /etc/krb5.conf:
>
> [libdefaults]
> default_realm = ADA.DE <http://ada.de/>
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> fcc-mit-ticketflags = true
>
> [realms]
> ADA.DE <http://ada.de/> = {
> kdc = ad01.ada.de
> kdc = ad02.ada.de
> admin_server = ad01.ada.de
> chpasswd_server = ad01.ada.de
> default_domain = ada.de
> }
>
> [domain_realm]
> .ada.de = ADA.DE <http://ada.de/>
> ada.de = ADA.DE <http://ada.de/>
>
>
> kinit works:
> # kinit Administrator
> Passwort für Administrator at ADA.DE:
> Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
> ablaufen.
> #klist
> Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
> Standard-Principal: Administrator at ADA.DE
>
> Valid starting Expires Service principal
> 16.10.2019 10:22:13 16.10.2019 20:22:13 krbtgt/ADA.DE at ADA.DE
> erneuern bis 17.10.2019 10:22:08
>
> But:
> # net ads join -k
> Host is not configured as a member server.
> Invalid configuration. Exiting....
> Failed to join domain: This operation is only allowed for the PDC of the
> domain.
>
> It is quite true this host is not configured as a member server -- it is
> the PDC! So what do I have to do to make this host use the running samba4
> to authenticate users? sssd fails because it cant find /etc/krb5.keytab.
>
How have you set up Samba ?
is it a PDC or are you just calling an AD DC a PDC because it is the
first DC ?
An AD DC != PDC
If it is a PDC, you cannot join it to an AD DC
If it is an AD DC, you do not join it to itself
Finally, do not use sssd, it is not supported by Samba (or Red Hat)
I think you need to post your smb.conf
Rowland
More information about the samba
mailing list