AS-REQ using SPN
Rowland Penny
rpenny at samba.org
Wed Nov 15 20:37:02 UTC 2017
On Wed, 15 Nov 2017 12:29:18 -0800
Richard Sharpe <realrichardsharpe at gmail.com> wrote:
> On Wed, Nov 15, 2017 at 10:53 AM, Rowland Penny via samba-technical <
> samba-technical at lists.samba.org> wrote:
> > On Wed, 15 Nov 2017 10:42:52 -0800
> > Richard Sharpe <realrichardsharpe at gmail.com> wrote:
> >
> >> On Wed, Nov 15, 2017 at 9:54 AM, Andrew Bartlett via
> >> samba-technical <samba-technical at lists.samba.org> wrote:
> >> > On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via
> >> > samba-technical wrote:
> >> [deletia]
> >> >> Hi Ralph, would you like to try that again with the Samba
> >> >> recommended krb5.conf ?
> >> >>
> >> >> Which is:
> >> >>
> >> >> [libdefaults]
> >> >> default_realm = RIVERSIDE.SITE
> >> >> dns_lookup_realm = false
> >> >> dns_lookup_kdc = true
> >> >>
> >>
> >> Wait. Is this recommended just for Samba as an AD DC or for Samba
> >> as a member server or both?
> >>
> >> AFAIK, you really do not want dns_lookup_realm = false for Samba
> >> as a member server, but if I am wrong it would be good to know why.
> >>
> >
> > This is one reason why I am asking questions about this, Samba
> > seems to have been recommending the above format for the last 5
> > years. I personally have been using it for all that time and it has
> > always worked.
> >
> > If it is wrong, why is it wrong ?
> > Why (If AB is to be believed) do the developers use a different
> > one ?
> >
> > What should we be using and recommending ?
>
> My only thought at this stage is that since you specify the realm in
> the smb.conf perhaps the dns_lookup_realm setting in krb5.conf is
> simply irrelevant.
>
No, funnily enough I tested this once and the only two lines you
actually must have in the /etc/krb5.conf are:
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
Rowland
More information about the samba-technical
mailing list