[Samba] kerberos configuration in samba
Rajesh Ghanekar
rajesh_ghanekar at symantec.com
Tue Dec 15 12:07:22 MST 2009
Hi Ralf,
Ralf Hornik Mailings wrote:
> Rajesh Ghanekar <rajesh_ghanekar at symantec.com> wrote:
>
>> Hi Ralf,
>> Thanks for the help. But I was asking if all 4 points mentioned in
>> my mail
>> are correct or not, like what if SRV records are not present, etc,
>> then what
>> should go in krb5.conf and smb.conf?
>
> Im not clear, what you are asking for. All points 1 - 3 are true.
>
> Point 1 and 3. Have you got a working DNS? So getting kerberos
> credendials works without any krb5.conf (testet 1 minute before). (You
> only have to attach the kerberos realm when kinit e.g. "kinit
> user at REALM.ORG").
Thanks for the information.
I have some more questions:
- I guess I don't need to do kinit manually if I am using "net ads join"
command, right?
- Does samba use SRV records for anything else other than finding out domain
controller names? If not, I can do away without them by writing manual
entries
in /etc/krb5.conf. I will be using DNS, but no SRV records.
- I found that even when no SRV records are present and wrong (invalid
hosts)
IP addresses configured for domain controllers (in smb.conf and
/etc/krb5.conf),
I am still able to join the domain. I am not sure if there is any
component which
actually does broadcasting and finds out if any domain controller
present using
this fallback method?
Thanks,
Rajesh
>
> If not you have to set krb5.conf like:
>
> [libdefaults]
> default_realm = REALM.ORG
> [realms]
> REALM.ORG = {
> kdc = master.realm.org:88
> kdc = slave.realm.org:88
> admin_server = master.realm.org:749
> default_domain = realm.org
> }
> [domain_realm]
> .realm.org = REALM.ORG
> realm.org = REALM.ORG
>
> Point 2. This is explained by itself and correct.
>
>
>
>
More information about the samba
mailing list