[Samba] Add samba to a Win2003 AD

David P.C. Wollmann dwollmann at puttybox.com
Sat Oct 29 13:25:30 GMT 2005

On Wed, 2005-10-19 at 09:48 +0200, Lars wrote:

> Hi
> I trying to add a samba fileserver (v3@ Debian Sarge) to Windows 2003
> domain. I've followed a couple of HowTo's including the officiel one, but
> i'm having trouble even with the basic connection.
>         "kinit administrator at dom.net"
> "kinit(v5): Cannot resolv network address for KDC in requested realm while
> getting initial credentials."

The realm is case sensitive, try:  administrator at DOM.NET

> The Win2003-server is written in my "/etc/hosts", and i can't ping it.
> General i'm having trouble understanding the different part, such as
> "kerberos password server" and similar.

It's probably not a good idea to specify the ADS IP in /etc/hosts, you
should rely on DNS for
this information.

Make sure that the first DNS IP (nameserver <IP address>) record
in /etc/resolv.conf points
to a Microsoft DNS with the requisite SRV records (probably your Active
Directory Server).

You should be able to issue the command "host -t SRV _kerberos._udp.<DNS
(replace <DNS DOMAIN> with your LAN's DNS domain) and get back an SRV
record for
each KDC. If not, then you're probably talking to the wrong DNS or using
the wrong domain.

You should be able to resolve each hostname listed in the SRV records,
and a reverse lookup
(host -i <ip address>) on each host's IP address should return one, and
only one, record for
each, with the correct hostname. If you can't reverse the KDC IP
address, Kerberos won't issue
tickets; if a reverse lookup returns multiple records for the KDC IP
address Kerberos won't
be able to canonicalize the KDC hostname and will refuse to issue

> ----- smb.conf ----- ( = Win2003 server)
> [global]
> workgroup = debianserver
> realm = dom.net
> wins server =
> security = ADS
> encrypt passwords = yes
> password server = dom.net
> domain master = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> ----- krb5.conf -----------
> [libdefaults]
> default_realm = DOM.NET
> [realms]
> DOM.NET = {
>         }
> [domain_realms]
>         .kerberos.server = DOM.NET

domain_realms is a list of domain (or sub-domain) -> REALM maps.
".kerberos.server" doesn't look like
a domain.

You'll probably have better success if you leave the details of Kerberos
to the Kerberos
libraries, at least that's been the case in my experience. Try
moving /etc/krb5.conf to
a different filename to hide it from the system and see what happens
with kinit. As
long as you're specifying the complete prinicipal name (with realm)
everything should
probably just work.

> Any help is welcome, because googling around has brought me no futher..
> /Lars

David P.C. Wollmann
AIM & Yahoo!: converter42 | MSN Messenger: converter42 at hotmail.com
PGP Fingerprint: 53C8 BF29 9AF0 EEE8 85DB  8D1C 14B1 023E 9079 CAD8
Get free PKCS client and server certificates at http://www.cacert.org/

More information about the samba mailing list