[Samba] "net ads join" Kerberos credentials only after "kinit"?

Andrew Smith-MAGAZINES andrew.smith.06 at bbc.co.uk
Thu Oct 2 09:53:56 GMT 2003

The purpose of "net ads join -U Administrator%password" (password is required) is not to obtain a Kerberos ticket but to create a computer account in the AD thereby setting up the trust required for other clients to authenticate to the Samba server with an AD Kerberos TGT. Use kinit from any client system, after doing the net ads join on the Samba server, to get your TGT and I think you'll find everything works as intended,

thanks Andy.

-----Original Message-----
From: Axel Suppantschitsch [mailto:as at suit.at]
Sent: 02 October 2003 10:29
To: samba at samba.org
Subject: [Samba] "net ads join" Kerberos credentials only after "kinit"?

According to the latest version of the Samba Documentation there are three
steps to add a samba server as member server to an ADS:

1.) Configure samba correctly to use ADS (smb.conf).
2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf).
3.) Join the samba server with "net ads join -U Administrator".

Well, all this sounds good, but it definetly doesn't work, you won't have any
kerberos tickets in your credentials cache after this process. So either the
samba documentation is incomplete, or there is a bug in samba.

Anyway, it seems that I found a workable solution:

I use Samba 3.0.0 release.
I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal).
I tested this with Windows 2000 and Windows 2003 Servers. It worked on both. 

1.) Do a "kinit Administrator at EXAMPLE.COM". This will get you initial kerberos
credentials. It is essential to get credentials _BEFORE_ step #2!
2.) Do a "net ads join". This will use your kerberos credentials from step #1
and add the samba server to your ADS domain without the need to specify a
username or a password.
3.) Do a "klist" and you will see three different tickets in your kerberos
credentials cache.
4.) Do a "smbclient -k \\windowsserver\share" and it should connect you without
enterning username and password.

At this point I ask you guys, whether this is a bug or a feature:

1.)If it is a feature the samba documentation needs to be changed in order to
require valid Administrator kerberos credentials _BEFORE_ doing a "net ads
join". This needs to be explicitely mentioned!

2.)If it is a bug, you know what you have to do... ;)

Hope this helps all the guys out there struggeling with the same problem and
asking me for help... ;)

Regards, Axel. 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

More information about the samba mailing list