[Samba] Kerberos requirements for Samba and AD Membership
g.hopper at computer.org
Wed Jun 8 15:21:17 GMT 2005
The short answer:
Use Kerberos 1.3.3 or greater and you should be fine. Use "kinit
user at ad.domain" to verify that Kerberos is basically working, then "net
join ads -U user at ad.domain" to join the domain. For me, it worked best
to create the machine account with AD administrator tool before I joined
the domain (partly because the AD domain admin refused to delegate the
authority to create accounts).
I expect that http://us3.samba.org/samba/docs/man/Samba-HOWTO-
Collection/domain-member.html#ads-member is the page 75 that you
mentioned, and that covers the steps reasonably well.
The long answer:
I found this page from Microsoft helpful:
Microsoft basically supports 3 encryption types:
However, note that "support for DES-CBC-CRC ... is primarily for MIT
Kerberos interoperability", and "You cannot configure a Windows 2000-
based client to request a TGT by using the DES-CBC-CRC encryption type."
which means that in practice DES-CBC-CRC doesn't work. (MIT Kerberos
1.2.x supports only DES3-HMAC-SHA1 and DES-CBC-CRC. Although DES-CBC-
CRC is on both lists, it doesn't work.)
What this means is that your Kerberos version should support the RC4-
HMAC encryption type, which is Microsoft's default. (MIT Kerberos 1.3.x
does. I don't know much about Hemidal, but it should too.) A tool
called klist will tell you what tickets you have, and you can also get
klist for Windows clients, to see what ticket types your domain is using
(also, a tool called Kerbtray, in the windows 2000 resource kit.)
You shouldn't have to configure anything special in your krb5.conf,
although I added a realms section to mine, to specify nearby domain
controllers for our global domains.
On Wed, 2005-06-08 at 09:48 -0400, Andy Pierce wrote:
> Hello. I currently have Samba running on AIX and joined to an NT4
> domain. I need to change this membership to new Active Directory
> domain. Yes, it is running in Native Mode. I understand that Kerberos
> is *the* requirement to make this work. Are there any special Kerberos
> versions, configuration options, etc. that are required?
> The Official Samba-3 HOWTO and Reference Guide (Terpstra and Vernooij)
> says on page 75 in the Samba ADS Domain Membership section, "A
> familiarity with Kerberos is assumed." That's fine but, since I am not
> the sysadmin, I need to learn these requirements and communicate them
> to him.
> The only requirement I have is that our AIX system joins the AD as a
> client. I am NOT trying to configure Samba as a DC or anything like
> Thanks a million!
More information about the samba