Samba 3 connect to openldap and mit kerberos

Jeff Block jblock at
Tue Mar 29 02:48:18 GMT 2005

I've added the lines to smb.conf
I've added the appropriate keys in the keytab file, but it isn't letting me

I try:
# net ads join -Uadmin -Sservername
admin's password: ************

And I get:
[2005/03/28 18:30:13, 0] utils/net_ads.c:(191)
  ads_connect: No results returned

I don't see anything in the kerberos server logs, perhaps I need to turn
logging up.  Am I wrong in assuming that I need to run the ads join?  Do I
need to put LDAP entries in smb.conf?

Just for the record, I'm using samba 3.0.13

Thanks for the help!


On 3/25/05 2:59 AM, "Michael Brown" <mbrown at> wrote:

> On Thu, 24 Mar 2005, Jeff Block wrote:
>> Forgive me if this topic has already been posted, but I couldn't find it.
>> I would like to bind a samba 3 server to an ldap/kerberos server.  I have
>> built in ldap and kerberos support so that I can use the security=ads
>> feature.  I don't have an actual AD infrastructure and I'm curious if I can
>> use the ldap/kerb features of samba without AD.  I have user info in ldap
>> and passwords in kerberos.
>> Can I have samba use these DB's on the backend?
> Yes.  With MIT Kerberos, you need to put the following settings in
> smb.conf:
>    security = ads
>    encrypt passwords = yes
>    use kerberos keytab = yes
> and to add the appropriate service principals in /etc/krb5.keytab.  Which
> service principals are appropriate is something of a black art, because
> Windows clients think that principal names are case-insensitive.  You will
> probably need to add
>    server$@REALM
>    host/ at REALM
>    cifs/ at REALM
> plus some case variations such as
>    HOST/ at REALM
>    host/ at REALM
> You can easily see which service principal a Windows client is requesting
> by using Ethereal to capture the traffic between the Windows client and
> the KDC.
> You'll need at least Samba 3.0.11 to avoid a segfault when the client
> connects.  Current SVN has a patch that makes Samba accept any case
> combination in the Kerberos principal name; previously it would accept
> only a few variations.
> Hope that helps.
> Michael

More information about the samba-technical mailing list