[Samba] SAMBA Kerberos misunderstanding

markus klimklim at gmx.de
Wed Feb 21 10:00:39 GMT 2007 

Hi Bradley,

I've not followed the whole thread so there might be some information I 
missed. But if you are running an AD with a Samba Member Server trying 
to use mod_auth_kerb you only have to create a kerberos service key on 
Windows side, secure copy this onto your webserver, add the key to a 
maybe already existing keytab with "ktutil" and test the key with a

   kinit -k HTTP/bla.bla at BLA.BLA

or

   kinit -k -t /path/to/keytab HTTP/bla.bla at BLA.BLA

This should give you a ticket without prompting for a password. Then 
install the mod_auth_kerb module, add some auth lines into your apache 
configuration or a .htaccess. This should be also described on the 
mod_auth_kerb website.

Hope that helps

Bradley Schatz wrote:
> Hi Mark,
> 
> For some background, I am actually trying to set up a http kerberos service
> so that I can use mod_auth_krb in apache2.
> 
> Would net ads join createupn=http/foundry.example.local do the trick?
> 
> I am on 3.0.22, which does not support this syntax. Any work-arounds?
> 
> thanks,
> 
> Bradley
> 
> 
> 
> On 2/21/07, Mark Proehl <M.Proehl at science-computing.de> wrote:
>>
>> Hi,
>>
>> try
>>
>>   net ads join createupn=host/foundry.example.local
>>
>> - Mark
>>
>> On Tue, Feb 20, 2007 at 05:57:47PM +1000, Bradley Schatz wrote:
>> > I suspect I might be grossly misunderstanding kerberos and AD here, but
>> I
>> > cant seem to grok the following.
>> >
>> > net ads join integrates my linux samba server (named foundry) into 
>> an AD
>> > domain and all works fine. The samba server is using the kerberos
>> keytab.
>> >
>> > root at foundry:~ # kinit -k -t /etc/krb5.keytab foundry$
>> > root at foundry:~ # kinit -k -t /etc/krb5.keytab 
>> host/foundry.example.local
>> > kinit(v5): Client not found in Kerberos database while getting initial
>> > credentials
>> >
>> > Why can't kinit find the service host/foundry.example.local in the AD
>> > Kerberos database? It seems to be in the local linux server keylist:
>> >
>> > root at foundry:~ # klist -k
>> > Keytab name: FILE:/etc/krb5.keytab
>> > KVNO Principal
>> > ----
>> >
>> -------------------------------------------------------------------------- 
>>
>> >   2 host/foundry.example.local at EXAMPLE.LOCAL
>> >   2 host/foundry.example.local at EXAMPLE.LOCAL
>> > .... cut ...
>> >
>> > What am I missing here?
>> >
>> > Thanks,
>> >
>> > Bradley
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>

More information about the samba mailing list