[Samba] Questions regarding ADS
Gerald (Jerry) Carter
jerry at samba.org
Wed Jul 6 13:07:38 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
marpon at marpon.com.ar wrote:
| I 've spent the last week troubleshooting a configuration issue regarding
| samba not being able to connect to other domains beside the domain of
which
| it 's a member server (samba 3.0.14a, krb 1.3.6, w2k).
|
| I have some doubts perhaps someone can answer...
|
| Suppose this scenario:
|
| Samba name : SAMBA
| Main domain: DOMAINA (domain controller = DCA)
| Others domains : DOMAINB, DOMAINC (domain controllers DCB y DCC)
|
|
| 1) When samba tries to connect via kerberos to others
| domains, which principal is supposed to use? I 'd think
| it is SAMBA$@DOMAINA. What I see is that it first connects
| via LDAP using this machine account but then tries to connect
| via kerberos with DCB$@DOMAINB or DCC$@DOMAINC. Is this
| correct or I am not understanding the logfiles correctly?
It should be obtaining a service for DCC$@DOMAINC. That's
probably what you are seeing.
| 2) Is wbinfo --set-auth-user still needed? I 'm not using
| it because I read somewhere that with 3.0+ is not needed
| anymore.
Generally it is not needed. Certainly not when all the
domains are AD and the Samba host is configured with
'security = ads'.
| 3) My krb5.conf doesn 't contain any references to
| servers. All it contains is dns_lookup_realm=true,
| dns_lookup_kdc=true and default_realm=XXXXX. Do I
| need anything specific or current krb5 can obtain everything
| it needs from the DNS?
DNS is fine. That's how I run. Make sure that the appropriate
SRV records are in DNS though.
| 4) Do I need to do the ktpass thing at the windows DC?
Nope. It is all handled by the AD trusts.
Hope this helps.
cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm) ------- http://www.samba.org
GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back." Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCy9eZIR7qMdg1EfYRAqisAJ9rX1cPqnc6nFsiaOrWlzdpySPThgCg5Sr8
WYhFbq5OfcZc37LNf/Nva+U=
=ESfW
-----END PGP SIGNATURE-----
More information about the samba
mailing list