[Samba] "net ads join" Kerberos credentials only after "kinit"?

Axel Suppantschitsch as at suit.at
Thu Oct 2 09:28:31 GMT 2003

According to the latest version of the Samba Documentation there are three
steps to add a samba server as member server to an ADS:

1.) Configure samba correctly to use ADS (smb.conf).
2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf).
3.) Join the samba server with "net ads join -U Administrator".

Well, all this sounds good, but it definetly doesn't work, you won't have any
kerberos tickets in your credentials cache after this process. So either the
samba documentation is incomplete, or there is a bug in samba.

Anyway, it seems that I found a workable solution:

I use Samba 3.0.0 release.
I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal).
I tested this with Windows 2000 and Windows 2003 Servers. It worked on both. 

1.) Do a "kinit Administrator at EXAMPLE.COM". This will get you initial kerberos
credentials. It is essential to get credentials _BEFORE_ step #2!
2.) Do a "net ads join". This will use your kerberos credentials from step #1
and add the samba server to your ADS domain without the need to specify a
username or a password.
3.) Do a "klist" and you will see three different tickets in your kerberos
credentials cache.
4.) Do a "smbclient -k \\windowsserver\share" and it should connect you without
enterning username and password.

At this point I ask you guys, whether this is a bug or a feature:

1.)If it is a feature the samba documentation needs to be changed in order to
require valid Administrator kerberos credentials _BEFORE_ doing a "net ads
join". This needs to be explicitely mentioned!

2.)If it is a bug, you know what you have to do... ;)

Hope this helps all the guys out there struggeling with the same problem and
asking me for help... ;)

Regards, Axel. 

More information about the samba mailing list