[Samba] AD SAMBA Kerberos participation with other AD Kerberised services

Andrew Bartlett abartlet at samba.org
Tue Sep 30 13:56:11 GMT 2003


On Tue, 2003-09-30 at 21:41, Andrew Smith-MAGAZINES wrote:
> Hi All,
> 
> anyone else found that adding a Samba server to an AD domain
> appears to be incompatible with using an AD Kerberos realm to 
> provide other Kerberised services such as NFS from the same 
> UNIX host?
> Problem I have is that when you join an AD domain thorough 
> Samba 3.x net command this creates a computer account in the 
> AD to which the administrator does not know the account password. 
> If you following MS guidelines for configuring other UNIX 
> Kerberised services to authenticate against a Windows Kerberos 
> realm (AD domain) you are instructed to use a user account not 
> a computer account because to generate a keytab file for your 
> Kerberised service you must know the password for the Kerberos/AD 
> account.
> As you cannot have an AD computer account with the same name as 
> an AD user account it would seem to me that using Kerberised 
> Samba is mutually exclusive with providing generic Kerberised 
> UNIX services from a single UNIX machine. Surely this will cause 
> many people problems if this is the case, have I missed something?

This issue is intended to be addressed - but you can find out the
(current) machine account password - just read the plaintext out of the
secrets.tdb (root-only access, naturally).  Either tdbtool, or a simple
'less' should show it.

I think there may even have been some patches flying about to fix this,
but I'm not sure...

Feel free to file a bug (if there is not one already present) into
bugzilla.samba.org

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030930/9bf024c2/attachment.bin


More information about the samba mailing list