net ads keytab add
Ian Grant
ian.grant at cl.cam.ac.uk
Wed Mar 15 17:00:20 GMT 2006
Dear Samba types,
Thanks for all your work on SAMBA, it's an awesome project.
I have been abusing the samba net utility, trying to use it to join a
host to a Windows 2k3 AD realm for the purposes of accessing NFS
filesystems using krb5 authentication via rpcsec. I feel it so nearly
works I can't leave it alone. (It saves such a huge amount of fussing
with ktpass.exe etc on the domain controllers.)
I'm using SAMBA 3.0.10 on an FC3 machine. I have 'use kerberos keytab
= true' in smb.conf. I can join the realm and create a keytab on the
client machine using something like this:
sudo net ads -U ig206 join krb5ServicePrincipals
sudo net ads -U ig206 keytab create
Then I get a keytab:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
------------------------------------------------------------------------
--
2 host/dwyryd.cl.cam.ac.uk at AD.CL.CAM.AC.UK (DES cbc mode with RSA-
MD5)
etc.
But the kerberos kinit utility can't get a TGT:
kinit -k host/dwyryd.cl.cam.ac.uk at AD.CL.CAM.AC.UK
kinit(v5): Client not found in Kerberos database while getting
initial credentials
The results of net ads search '(sAMAccountName=dwyryd$)' look OK to
me. Are there any other attributes like msDS-KeyVersionNumber that I
can query via LDAP to see the underlying kerberos principals database
that AD maintains?
Thanks for your time
Ian Grant
Cambridge Computer Lab.
More information about the samba-technical
mailing list