[Samba] Confused about Active Directory, Winbind, and Kerberos

Michael Schurter michael at susens-schurter.com
Wed Nov 22 19:05:21 GMT 2006

I'm trying to learn how to integrate Linux workstations and servers into
a Windows 2000 Active Directory network.  I've read and followed the
Samba HOWTO, especially the parts about Winbind, and I got my Linux
workstation authenticating using pam_krb5 and pam_winbind.

klist would show I got a TGT after logging in.  Domain users could login
and pam_mkhomedir would properly setup a new home directory for them.
wbinfo -u/-g even worked... at least at first.

I want to use Kerberos authentication with other services (like in
Apache and for e-mail), so I began tinkering to try to get Active
Directory authentication working just using Kerberos instead of relying
on PAM + Winbind.

I tried setting up my /etc/krb5.keytab file, and now I'm afraid my
system is a mess.  I told Samba to use the system keytab, and now
Samba/Winbind related commands fail (net ads commands, wbinfo commands,
even pam_winbind).

Any suggestions would be appreciated.  I just want the tightest
integration between Linux & Active Directory that extends to Linux
services like ssh, apache, postfix/sasl, etc.

I've also been documents my efforts:
and on my blog:

Thanks in advance,
Michael Schurter

Relevant system info:
Debian Etch, 2.6.17 kernel, Samba 3.023c-4, MIT Kerberos 1.4.4-4

### relevant smb.conf lines ###
	workgroup = TREMONT
        realm = TREMONT.LOCAL
	security = ADS
        auth methods = winbind
        obey pam restrictions = Yes
	idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind offline logon = true
        winbind refresh tickets = Yes
	use kerberos keytab = true

### relevant krb5.conf lines ###
        default_realm = TREMONT.LOCAL
        clock_skew = 300
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        dns_lookup_kdc = false
        dns_lookup_realm = false
	default_tgs_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
	default_tkt_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
	permitted_enctypes   = rc4-hmac des-cbc-md5 des-cbc-crc
        TREMONT.LOCAL = {
                kdc = thsdc1
                kdc = thsdc2
                admin_server = thsdc1
        .tremont.local = TREMONT.LOCAL
        .tremont.com = TREMONT.LOCAL

### sample valid user kerberos ticket (klist) ###
11/22/06 12:55:07  11/22/06 22:55:12  krbtgt/TREMONT.LOCAL at TREMONT.LOCAL

### /etc/krb5.keytab (sudo ktutil; rkt /etc/krb5.keytab; list) ###
   1    1 host/schurter3-linux.tremont.local at TREMONT.LOCAL
   2    0 host/schurter3-linux.tremont at TREMONT.LOCAL
   3    0 host/schurter3-linux.tremont at TREMONT.LOCAL
   4    0 host/schurter3-linux.tremont at TREMONT.LOCAL
   5    0       host/schurter3-linux at TREMONT.LOCAL
   6    0       host/schurter3-linux at TREMONT.LOCAL
   7    0       host/schurter3-linux at TREMONT.LOCAL
   8    0           schurter3-linux$@TREMONT.LOCAL
   9    0           schurter3-linux$@TREMONT.LOCAL
  10    0           schurter3-linux$@TREMONT.LOCAL

### Note Slot 1 was generated by "ktpass" on the Windows 2000 Server

More information about the samba mailing list