Samba 3 connect to openldap and mit kerberos
jblock at mrsc.ucsf.edu
Tue Mar 29 02:48:18 GMT 2005
I've added the lines to smb.conf
I've added the appropriate keys in the keytab file, but it isn't letting me
# net ads join -Uadmin -Sservername
admin's password: ************
And I get:
[2005/03/28 18:30:13, 0] utils/net_ads.c:(191)
ads_connect: No results returned
I don't see anything in the kerberos server logs, perhaps I need to turn
logging up. Am I wrong in assuming that I need to run the ads join? Do I
need to put LDAP entries in smb.conf?
Just for the record, I'm using samba 3.0.13
Thanks for the help!
On 3/25/05 2:59 AM, "Michael Brown" <mbrown at fensystems.co.uk> wrote:
> On Thu, 24 Mar 2005, Jeff Block wrote:
>> Forgive me if this topic has already been posted, but I couldn't find it.
>> I would like to bind a samba 3 server to an ldap/kerberos server. I have
>> built in ldap and kerberos support so that I can use the security=ads
>> feature. I don't have an actual AD infrastructure and I'm curious if I can
>> use the ldap/kerb features of samba without AD. I have user info in ldap
>> and passwords in kerberos.
>> Can I have samba use these DB's on the backend?
> Yes. With MIT Kerberos, you need to put the following settings in
> realm = KERBEROS.REALM.NAME
> security = ads
> encrypt passwords = yes
> use kerberos keytab = yes
> and to add the appropriate service principals in /etc/krb5.keytab. Which
> service principals are appropriate is something of a black art, because
> Windows clients think that principal names are case-insensitive. You will
> probably need to add
> host/server.example.com at REALM
> cifs/server.example.com at REALM
> plus some case variations such as
> HOST/server.example.com at REALM
> host/SERVER.example.com at REALM
> You can easily see which service principal a Windows client is requesting
> by using Ethereal to capture the traffic between the Windows client and
> the KDC.
> You'll need at least Samba 3.0.11 to avoid a segfault when the client
> connects. Current SVN has a patch that makes Samba accept any case
> combination in the Kerberos principal name; previously it would accept
> only a few variations.
> Hope that helps.
More information about the samba-technical