[Samba] AD SAMBA Kerberos participation with other AD
Kerberised services
Andrew Bartlett
abartlet at samba.org
Tue Sep 30 13:56:11 GMT 2003
On Tue, 2003-09-30 at 21:41, Andrew Smith-MAGAZINES wrote:
> Hi All,
>
> anyone else found that adding a Samba server to an AD domain
> appears to be incompatible with using an AD Kerberos realm to
> provide other Kerberised services such as NFS from the same
> UNIX host?
> Problem I have is that when you join an AD domain thorough
> Samba 3.x net command this creates a computer account in the
> AD to which the administrator does not know the account password.
> If you following MS guidelines for configuring other UNIX
> Kerberised services to authenticate against a Windows Kerberos
> realm (AD domain) you are instructed to use a user account not
> a computer account because to generate a keytab file for your
> Kerberised service you must know the password for the Kerberos/AD
> account.
> As you cannot have an AD computer account with the same name as
> an AD user account it would seem to me that using Kerberised
> Samba is mutually exclusive with providing generic Kerberised
> UNIX services from a single UNIX machine. Surely this will cause
> many people problems if this is the case, have I missed something?
This issue is intended to be addressed - but you can find out the
(current) machine account password - just read the plaintext out of the
secrets.tdb (root-only access, naturally). Either tdbtool, or a simple
'less' should show it.
I think there may even have been some patches flying about to fix this,
but I'm not sure...
Feel free to file a bug (if there is not one already present) into
bugzilla.samba.org
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030930/9bf024c2/attachment.bin
More information about the samba
mailing list