[Samba] AD SAMBA Kerberos participation with other AD Kerberised services

Andrew Smith-MAGAZINES andrew.smith.06 at bbc.co.uk
Tue Sep 30 11:41:38 GMT 2003

Hi All,

	anyone else found that adding a Samba server to an AD domain appears to be incompatible with using an AD Kerberos realm to provide other Kerberised services such as NFS from the same UNIX host?
  Problem I have is that when you join an AD domain thorough Samba 3.x net command this creates a computer account in the AD to which the administrator does not know the account password. If you following MS guidelines for configuring other UNIX Kerberised services to authenticate against a Windows Kerberos realm (AD domain) you are instructed to use a user account not a computer account because to generate a keytab file for your Kerberised service you must know the password for the Kerberos/AD account.
  As you cannot have an AD computer account with the same name as an AD user account it would seem to me that using Kerberised Samba is mutually exclusive with providing generic Kerberised UNIX services from a single UNIX machine. Surely this will cause many people problems if this is the case, have I missed something?

  Microsoft instructions for creating keytabs are on this link,
 <<Microsoft TechNet AD-UNIX Kerberos integration.url>> 

	many thanks Andy.

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

More information about the samba mailing list