[Samba] Questions regarding ADS

Gerald (Jerry) Carter jerry at samba.org
Wed Jul 6 13:07:38 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

marpon at marpon.com.ar wrote:
| I 've spent the last week troubleshooting a configuration issue regarding
| samba not being able to connect to other domains beside the domain of
which
| it 's a member server (samba 3.0.14a, krb 1.3.6, w2k).
|
| I have some doubts perhaps someone can answer...
|
| Suppose this scenario:
|
| Samba name : SAMBA
| Main domain: DOMAINA (domain controller = DCA)
| Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC)
|
|
| 1) When samba tries to connect via kerberos to others
| domains, which principal is supposed to use? I 'd think
| it is SAMBA$@DOMAINA. What I see is that it first connects
| via LDAP using this machine account but then tries to connect
| via kerberos with DCB$@DOMAINB or DCC$@DOMAINC. Is this
| correct or I am not understanding the logfiles correctly?

It should be obtaining a service for DCC$@DOMAINC.  That's
probably what you are seeing.

| 2) Is wbinfo --set-auth-user still needed? I 'm not using
| it because I read somewhere that with 3.0+ is not needed
| anymore.

Generally it is not needed.  Certainly not when all the
domains are AD and the Samba host is configured with
'security = ads'.

| 3) My krb5.conf doesn 't contain any references to
| servers. All it contains is dns_lookup_realm=true,
| dns_lookup_kdc=true and default_realm=XXXXX. Do I
| need anything specific or current krb5 can obtain everything
| it needs from the DNS?

DNS is fine.  That's how I run.  Make sure that the appropriate
SRV records are in DNS though.

| 4) Do I need to do the ktpass thing at the windows DC?

Nope.  It is all handled by the AD trusts.

Hope this helps.





cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCy9eZIR7qMdg1EfYRAqisAJ9rX1cPqnc6nFsiaOrWlzdpySPThgCg5Sr8
WYhFbq5OfcZc37LNf/Nva+U=
=ESfW
-----END PGP SIGNATURE-----

More information about the samba mailing list