[Samba] Kerberos requirements for Samba and AD Membership

Gordon Hopper g.hopper at computer.org
Wed Jun 8 15:21:17 GMT 2005 

The short answer:

Use Kerberos 1.3.3 or greater and you should be fine.  Use "kinit
user at ad.domain" to verify that Kerberos is basically working, then "net
join ads -U user at ad.domain" to join the domain.  For me, it worked best
to create the machine account with AD administrator tool before I joined
the domain (partly because the AD domain admin refused to delegate the
authority to create accounts).

I expect that http://us3.samba.org/samba/docs/man/Samba-HOWTO-
Collection/domain-member.html#ads-member is the page 75 that you
mentioned, and that covers the steps reasonably well.

The long answer:

I found this page from Microsoft helpful:
http://support.microsoft.com/default.aspx?scid=kb;en-us;296842 .
Microsoft basically supports 3 encryption types: 
•
RC4-HMAC
•
DES-CBC-MD5
•
DES-CBC-CRC

However, note that "support for DES-CBC-CRC ... is primarily for MIT
Kerberos interoperability",  and "You cannot configure a Windows 2000-
based client to request a TGT by using the DES-CBC-CRC encryption type."
which means that in practice DES-CBC-CRC doesn't work.  (MIT Kerberos
1.2.x supports only DES3-HMAC-SHA1 and DES-CBC-CRC.  Although DES-CBC-
CRC is on both lists, it doesn't work.)

What this means is that your Kerberos version should support the RC4-
HMAC encryption type, which is Microsoft's default.  (MIT Kerberos 1.3.x
does.  I don't know much about Hemidal, but it should too.)   A tool
called klist will tell you what tickets you have, and you can also get
klist for Windows clients, to see what ticket types your domain is using
(also, a tool called Kerbtray, in the windows 2000 resource kit.)

You shouldn't have to configure anything special in your krb5.conf,
although I added a realms section to mine, to specify nearby domain
controllers for our global domains.


Regards,

Gordon



On Wed, 2005-06-08 at 09:48 -0400, Andy Pierce wrote: 

> Hello. I currently have Samba running on AIX and joined to an NT4
> domain. I need to change this membership to new Active Directory
> domain. Yes, it is running in Native Mode. I understand that Kerberos
> is *the* requirement to make this work. Are there any special Kerberos
> versions, configuration options, etc. that are required?
> 
> The Official Samba-3 HOWTO and Reference Guide (Terpstra and Vernooij)
> says on page 75 in the Samba ADS Domain Membership section, "A
> familiarity with Kerberos is assumed." That's fine but, since I am not
> the sysadmin, I need to learn these requirements and communicate them
> to him.
> 
> The only requirement I have is that our AIX system joins the AD as a
> client. I am NOT trying to configure Samba as a DC or anything like
> that.
> 
> Thanks a million! 
> 
> Andrew

More information about the samba mailing list