[Samba] AD SAMBA Kerberos participation with other AD Kerberised services

Andrew Bartlett abartlet at samba.org
Tue Sep 30 13:56:11 GMT 2003

On Tue, 2003-09-30 at 21:41, Andrew Smith-MAGAZINES wrote:
> Hi All,
> anyone else found that adding a Samba server to an AD domain
> appears to be incompatible with using an AD Kerberos realm to 
> provide other Kerberised services such as NFS from the same 
> UNIX host?
> Problem I have is that when you join an AD domain thorough 
> Samba 3.x net command this creates a computer account in the 
> AD to which the administrator does not know the account password. 
> If you following MS guidelines for configuring other UNIX 
> Kerberised services to authenticate against a Windows Kerberos 
> realm (AD domain) you are instructed to use a user account not 
> a computer account because to generate a keytab file for your 
> Kerberised service you must know the password for the Kerberos/AD 
> account.
> As you cannot have an AD computer account with the same name as 
> an AD user account it would seem to me that using Kerberised 
> Samba is mutually exclusive with providing generic Kerberised 
> UNIX services from a single UNIX machine. Surely this will cause 
> many people problems if this is the case, have I missed something?

This issue is intended to be addressed - but you can find out the
(current) machine account password - just read the plaintext out of the
secrets.tdb (root-only access, naturally).  Either tdbtool, or a simple
'less' should show it.

I think there may even have been some patches flying about to fix this,
but I'm not sure...

Feel free to file a bug (if there is not one already present) into

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030930/9bf024c2/attachment.bin

More information about the samba mailing list