[Samba] kerberos/Samba integration questions
jallingham at leapstone.com
Mon Feb 5 23:16:34 GMT 2007
I'm trying to integrate Samba with my kerberos configuration on Solaris 10
(with Samba 3.0.23d) and I have one basic issue - probably I don't
understand something. Hopefully one of you experts can help.
We have an AD based organization but we do a lot of Unix work on Solaris 10
and AIX 5.3 - I have about 75 *nix servers of various flavors. There's a lot
of value in SSO solutions/credential consolidation to us, but we're a small
I have a functional Solaris configuration talking LDAP to AD, using kerberos
for password authentication, successfully pulling UID/GID from SFU on Server
2003 R2. LDAP mapping using the built in LDAP client in Solaris 10 works
smoothly; getent returns everything it should. kerberos versions of telnet
etc all work fine and forward credentials. This config uses the pam_krb5
module, not winbind and uses ldap in the nssswitch.conf
Alternatively, I can not run the kinit -k for the host, leave out the
krb5.keytab (and of course fix all the SPN information in AD from the above
configuration) and configure Samba in AD mode and it properly joins the
domain. User names get mapped properly. File access through samba works.
What I can't seem to figure out how to do is have a functional kerberos
configuration with a keytab entry at the same time I have samba working -
Samba wants to join the domain using a machine account and assigns the
principal host/hostname.myorg.com and I don't see any way of getting that
same information exported into the krb5.keytab so I can run kinit -k to get
the proper host credentials. And I need the same host/hostname.myorg.com
principal to be set on the account that is mapped to the system.
AD isn't terribly happy about using a machine account anyway to configure
kerberos, at least not on Solaris - it works much better to use a user
account and then set the principal with the ktpass utility on the windows
It seems that conceptually what I need is to be able to set the samba
created information as the keytab entry, but I haven't the faintest idea how
to do that.
I tried setting the verify_ap_req_nofail = false value in the krb5.conf file
to keep it from requiring a host entry, but that didn't seem to make any
I suppose what I'd really like to do is be able to manually export the
keytab from AD using ktpass and use the SAME information for both the OS
controlled kerberos based services as well as for Samba. Or alternatively be
able to point my krb5.conf file to a samba controlled keytab entry for
Any ideas are appreciated.
More information about the samba