Use tcp while fetching kerberos tickets
Raj Pagaku
rpagaku at ironport.com
Mon Sep 10 21:52:09 GMT 2007
Hello,
I am guessing this email should have been sent to this list instead of
the general samba list.
We are running samba version 3.0.25a and Heimdal 0.6.3 for kerberos.
With 3.0.25a version of Samba, we observe that when we are attempting to
join our primary domain in ADS mode and the Active Directory happens to
be the closest DC, samba creates its own local private krb5 conf file
and overrides the KRB5_CONFIG environment variable
[create_local_private_krb5_conf_for_domain() is invoked from function
ads_dc_name() in file libsmb/namequery_dc.c]
Is there a specific reason for creating a custom krb5 conf file instead
of using the default krb5 conf or the conf file specified in the
environment variable KRB5_CONFIG when the 'net ads join' is invoked?
Nothing wrong with creating a custom file but wanted to understand the
technical reason behind it.
There is however one issue with the contents of the private krb5 conf
file generated. The generated file has a kdc line of the following
format:
kdc = <ip_address_of_ad_server>
Since the KRB5_CONFIG variable is over-ridden there is no way to inform
samba to use 'tcp' for fetching Kerberos tickets.
We used to run the 'net ads join' by providing path to a krb5.conf file
that had a kdc line of the following format:
kdc = tcp/<ip_address_of_ad_server>
and this worked fine in older versions (3.0.23c) since a custom krb5
conf file was not created.
Our environment does not allow udp kerberos traffic. How can we inform
the kerberos ticketing code in samba to use 'tcp' instead of 'udp'?
Thanks
Raj Pagaku
More information about the samba-technical
mailing list