FW: [Samba] net ads join / kinit /.conf syntax

John H Terpstra jht at samba.org
Thu Feb 19 21:11:52 GMT 2004


On Thu, 19 Feb 2004, kaze wrote:

> --> From: John H Terpstra [mailto:jht at samba.org]
> --> Sent: Thursday, February 19, 2004 1:04 AM
> ...
> > Of course "net ads join ..." still returns "failed: Cannot find KDC for
> > requested realm"
>
> Hmmm. ...
>
> >
> > What to do?
>
> Did the Samba-HOWTO-Collection.pdf help in any way? What part of Section
> 7.4 does not work for you? If you can help me to find the problem I can
> help to fix the documentation.
>
> See: http://www.samba.org/docs/Samba-HOWTO-Collection.pdf
>
> <---------------------------------------------------------------->
>
> The documentation is great.
>
> >From per my original post:
> http://www.samba.org/samba/docs/man/domain-member.html#domain-member-server
> (Which notes, "This is a rough guide to setting up Samba-3 with Kerberos
> authentication against a Windows 200x KDC. A familiarity with Kerberos is
> assumed." Is there "A guide to familiarity with Kerberos as a primer for
> Samba configuration" somewhere?)

There will be when the "Samba-3 by Example" book is out after March 26th.
It has prescriptive guidance that should solve the problem of clients and
servers joining an ADS domain. It will be committed to CVS as soon as I
can get consented release from the publisher of the book.

> I know more about Kerberos from mythology than from with computers.
>
> As an aside: Why does replying to a list post default to sending to the
> poster and not the list. I've gotten a few replies to my post, but they've
> come to me and not the list. It seems to me this makes the list less useful
> for observers and from a "search the archives" point of view. (Sorry is this
> has been thrashed out on the list before.) Should I reply just to you, or to
> the list?

Always reply to the list. The only exception is when it may contain
information that may be personally sensitive, in which case I would
recommend private communication. Even where a discussion has been taken
off list, you should always strive to bring it back to the list so that
hte maximum number of people can benefit from the discussions.

>
> Anyway, about the documentation:
> I read the lines:
> "This is a rough guide to setting up Samba-3 with Kerberos authentication
> against a Windows 200x KDC."
> and
> "With both MIT and Heimdal Kerberos, it is unnecessary to configure the
> /etc/krb5.conf, and it may be detrimental. Microsoft Active Directory
> servers..."
> to mean that
> (1) there are three main Kerberos implementations Samba deals with, MIT,
> Heimdal, and Microsoft's.
> (2) Since I want my GNU/Linux box to authenticate and base file sharing
> permissions against an existing Microsoft Active Directory I'll have to
> configure the /etc/krb5.conf, and
> (3) I thought Samba was the Kerberos client and had no idea I needed to
> install a Kerberos client.
>
> When following the documentation to "Create the Computer Account" the "net
> ads join -U Administrator%password" command failed with an error message
> that is note explained or addressed anywhere I could see in the docs.

Your Samba must be linked against te correct version of either Heimdal or
MIT Kerberos, otherwise it will not work.

Your Windows 200x ADS server must permit remote access to ADS. (PS: This
is something that may require further documentation than has been done so
far.)

> (Searching the samba list archives revealed this post
> <http://lists.samba.org/archive/samba/2003-October/000180.html> with the
> gem, "I've posted extensively about this - search the archives.")

Windows 200x ADS uses DNS to resolve KRB5 service record information. The
underlying KRB5 libraries (MIT 1.3.1 or Heimdal 0.6+) have the capacity to
do DNS lookups. Many sites have broken DNS servers - and that will break
the ability of Samba-3 to locate the KDC.

> >From the Samba list and more reading I now know I need a Kerberos client so
> I tried  krb5-workstation-1.3.1-6.i386.rpm but this still didn't give me the
> kinit command; now per Michael Brown I'm gonna try this one:
> http://web.mit.edu/kerberos/dist/krb5/1.3/krb5-1.3.1.tar.

You must ensure that your Kerberos implementation is complete and
functional.

If you find anything that should be in the Samba documentation that is
missing please let me know. We all want to provide complete and useful
information.

Cheers,
John T.
-- 
John H Terpstra
Email: jht at samba.org


More information about the samba mailing list